repo-sync: use LoadCredential
This commit is contained in:
parent
71d11e8f2b
commit
7219292dd5
@ -122,13 +122,9 @@ let
|
|||||||
};
|
};
|
||||||
|
|
||||||
privateKeyFile = mkOption {
|
privateKeyFile = mkOption {
|
||||||
type = types.secret-file;
|
type = types.absolute-pathname;
|
||||||
default = {
|
default = toString <secrets> + "/repo-sync.ssh.key";
|
||||||
name = "repo-sync-key";
|
defaultText = "‹secrets/repo-sync.ssh.key›";
|
||||||
path = "${cfg.stateDir}/ssh.priv";
|
|
||||||
owner = cfg.user;
|
|
||||||
source-path = toString <secrets> + "/repo-sync.ssh.key";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
unitConfig = mkOption {
|
unitConfig = mkOption {
|
||||||
@ -144,7 +140,6 @@ let
|
|||||||
};
|
};
|
||||||
|
|
||||||
imp = {
|
imp = {
|
||||||
krebs.secret.files.repo-sync-key = cfg.privateKeyFile;
|
|
||||||
users.users.${cfg.user.name} = {
|
users.users.${cfg.user.name} = {
|
||||||
inherit (cfg.user) home name uid;
|
inherit (cfg.user) home name uid;
|
||||||
createHome = true;
|
createHome = true;
|
||||||
@ -163,6 +158,10 @@ let
|
|||||||
}
|
}
|
||||||
) cfg.repos;
|
) cfg.repos;
|
||||||
|
|
||||||
|
krebs.systemd.services = mapAttrs' (name: _:
|
||||||
|
nameValuePair "repo-sync-${name}" {}
|
||||||
|
) cfg.repos;
|
||||||
|
|
||||||
systemd.services = mapAttrs' (name: repo:
|
systemd.services = mapAttrs' (name: repo:
|
||||||
let
|
let
|
||||||
repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json"
|
repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json"
|
||||||
@ -171,16 +170,10 @@ let
|
|||||||
});
|
});
|
||||||
in nameValuePair "repo-sync-${name}" {
|
in nameValuePair "repo-sync-${name}" {
|
||||||
description = "repo-sync";
|
description = "repo-sync";
|
||||||
after = [
|
after = [ "network.target" ];
|
||||||
config.krebs.secret.files.repo-sync-key.service
|
|
||||||
"network.target"
|
|
||||||
];
|
|
||||||
partOf = [
|
|
||||||
config.krebs.secret.files.repo-sync-key.service
|
|
||||||
];
|
|
||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.privateKeyFile.path}";
|
GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i $CREDENTIALS_DIRECTORY/ssh_key";
|
||||||
REPONAME = "${name}.git";
|
REPONAME = "${name}.git";
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -188,6 +181,7 @@ let
|
|||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "simple";
|
Type = "simple";
|
||||||
PermissionsStartOnly = true;
|
PermissionsStartOnly = true;
|
||||||
|
LoadCredential = "ssh_key:${cfg.privateKeyFile}";
|
||||||
ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}";
|
ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}";
|
||||||
WorkingDirectory = cfg.stateDir;
|
WorkingDirectory = cfg.stateDir;
|
||||||
User = "repo-sync";
|
User = "repo-sync";
|
||||||
|
Loading…
Reference in New Issue
Block a user