Cluster secrets #100

Merged
max merged 17 commits from pr-cluster-secrets into master 2024-07-08 22:23:11 +03:00
3 changed files with 6 additions and 8 deletions
Showing only changes of commit 579eed6b51 - Show all commits

View file

@ -12,11 +12,6 @@ let
in in
{ {
vars = { vars = {
ircPeerKey = {
file = ./irc-peer-key.age;
owner = "ngircd";
group = "ngircd";
};
ircOpers = [ "max" "num" "ark" ]; ircOpers = [ "max" "num" "ark" ];
}; };
hostLinks = lib.genAttrs config.services.irc.nodes.host (name: { hostLinks = lib.genAttrs config.services.irc.nodes.host (name: {
@ -50,6 +45,11 @@ in
./irc-host.nix ./irc-host.nix
]; ];
}; };
secrets.peerKey = {
nodes = config.services.irc.nodes.host;
owner = "ngircd";
services = [ "ngircd" ];
};
}; };
monitoring.blackbox.targets = { monitoring.blackbox.targets = {

View file

@ -93,17 +93,15 @@ in {
auth required ${pkgs.kanidm}/lib/pam_kanidm.so auth required ${pkgs.kanidm}/lib/pam_kanidm.so
''; '';
}; };
age.secrets = { inherit (vars) ircPeerKey; };
systemd.services.ngircd = { systemd.services.ngircd = {
after = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ]; after = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
wants = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ]; wants = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
restartTriggers = [ "${config.age.secrets.ircPeerKey.file}" ];
serviceConfig.RuntimeDirectory = "ngircd"; serviceConfig.RuntimeDirectory = "ngircd";
preStart = '' preStart = ''
install -d -m700 /run/ngircd/secrets install -d -m700 /run/ngircd/secrets
for cfg in ${builtins.concatStringsSep " " otherServerFiles}; do for cfg in ${builtins.concatStringsSep " " otherServerFiles}; do
install -m600 $cfg /run/ngircd/secrets/ install -m600 $cfg /run/ngircd/secrets/
${pkgs.replace-secret}/bin/replace-secret '@PEER_PASSWORD@' '${config.age.secrets.ircPeerKey.path}' /run/ngircd/secrets/$(basename $cfg) ${pkgs.replace-secret}/bin/replace-secret '@PEER_PASSWORD@' '${cluster.config.services.irc.secrets.peerKey.path}' /run/ngircd/secrets/$(basename $cfg)
done done
''; '';
}; };