repo-sync: use LoadCredential

This commit is contained in:
tv 2021-12-24 00:47:41 +01:00
parent 71d11e8f2b
commit 7219292dd5

View File

@ -122,13 +122,9 @@ let
}; };
privateKeyFile = mkOption { privateKeyFile = mkOption {
type = types.secret-file; type = types.absolute-pathname;
default = { default = toString <secrets> + "/repo-sync.ssh.key";
name = "repo-sync-key"; defaultText = "secrets/repo-sync.ssh.key";
path = "${cfg.stateDir}/ssh.priv";
owner = cfg.user;
source-path = toString <secrets> + "/repo-sync.ssh.key";
};
}; };
unitConfig = mkOption { unitConfig = mkOption {
@ -144,7 +140,6 @@ let
}; };
imp = { imp = {
krebs.secret.files.repo-sync-key = cfg.privateKeyFile;
users.users.${cfg.user.name} = { users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid; inherit (cfg.user) home name uid;
createHome = true; createHome = true;
@ -163,6 +158,10 @@ let
} }
) cfg.repos; ) cfg.repos;
krebs.systemd.services = mapAttrs' (name: _:
nameValuePair "repo-sync-${name}" {}
) cfg.repos;
systemd.services = mapAttrs' (name: repo: systemd.services = mapAttrs' (name: repo:
let let
repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json" repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json"
@ -171,16 +170,10 @@ let
}); });
in nameValuePair "repo-sync-${name}" { in nameValuePair "repo-sync-${name}" {
description = "repo-sync"; description = "repo-sync";
after = [ after = [ "network.target" ];
config.krebs.secret.files.repo-sync-key.service
"network.target"
];
partOf = [
config.krebs.secret.files.repo-sync-key.service
];
environment = { environment = {
GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.privateKeyFile.path}"; GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i $CREDENTIALS_DIRECTORY/ssh_key";
REPONAME = "${name}.git"; REPONAME = "${name}.git";
}; };
@ -188,6 +181,7 @@ let
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
PermissionsStartOnly = true; PermissionsStartOnly = true;
LoadCredential = "ssh_key:${cfg.privateKeyFile}";
ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}"; ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}";
WorkingDirectory = cfg.stateDir; WorkingDirectory = cfg.stateDir;
User = "repo-sync"; User = "repo-sync";