lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

fup: move config to secret

Browse source
This commit is contained in:
Luke Granger-Brown 2022-04-10 01:37:37 +01:00
parent 8647af22d7
commit dca96efffe
2 changed files with 27 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
ops/nixos/lib/fup.nix
View file

@ -4,9 +4,6 @@ let
inherit (depot.ops) secrets;
sock = "/run/fup.sock";
pkg = depot.web.fup;
format = pkgs.formats.yaml {};
fupConfig = format.generate "fup.yaml" secrets.fup.config;
in
{
options = with lib; {
@ -47,6 +44,9 @@ in
};
};
users.users.fup = { isSystemUser = true; group = "fup"; };
users.groups.fup = {};
systemd.sockets.fup = {
listenStreams = [ sock ];
wantedBy = [ "sockets.target" ];
@ -65,10 +65,29 @@ in
serviceConfig = {
Type = "simple";
Restart = "always";
EnvironmentFile = secrets.fup.environment;
ExecStart = "${pkg}/bin/fup serve --config=${fupConfig}";
DynamicUser = true;
EnvironmentFile = config.my.vault.secrets.fup-environment.path;
ExecStart = "${pkg}/bin/fup serve --config=/etc/fup.yaml";
User = "fup";
};
};
environment.etc."fup.yaml".source = config.my.vault.secrets.fup-config.path;
my.vault.secrets.fup-config = {
reloadOrRestartUnits = ["fup.service"];
group = "fup";
template = ''
{{ with secret "kv/apps/fup" }}
{{ .Data.data.config }}
{{ end }}
'';
};
my.vault.secrets.fup-environment = {
reloadOrRestartUnits = ["fup.service"];
group = "fup";
template = ''
{{ with secret "kv/apps/fup" }}
{{ .Data.data.environment }}
{{ end }}
'';
};
};
}

2
ops/vault/cfg/config.nix
View file

@ -42,6 +42,7 @@
};
my.apps.deluge = {};
my.apps.fup = {};
my.apps.matrix-synapse = {};
my.apps.pomerium = {};
my.apps.quotesdb = {};
@ -71,4 +72,5 @@
my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ];
my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ];
my.servers.bvm-prosody.apps = [ "turn" ];
my.servers.blade-tuvok.apps = [ "fup" ];
}