From dca96efffe0d076a2149f3b48d0f6bac4fb26f30 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sun, 10 Apr 2022 01:37:37 +0100 Subject: [PATCH] fup: move config to secret --- ops/nixos/lib/fup.nix | 31 +++++++++++++++++++++++++------ ops/vault/cfg/config.nix | 2 ++ 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/ops/nixos/lib/fup.nix b/ops/nixos/lib/fup.nix index 0363126248..ebab7c1bdb 100644 --- a/ops/nixos/lib/fup.nix +++ b/ops/nixos/lib/fup.nix @@ -4,9 +4,6 @@ let inherit (depot.ops) secrets; sock = "/run/fup.sock"; pkg = depot.web.fup; - - format = pkgs.formats.yaml {}; - fupConfig = format.generate "fup.yaml" secrets.fup.config; in { options = with lib; { @@ -47,6 +44,9 @@ in }; }; + users.users.fup = { isSystemUser = true; group = "fup"; }; + users.groups.fup = {}; + systemd.sockets.fup = { listenStreams = [ sock ]; wantedBy = [ "sockets.target" ]; @@ -65,10 +65,29 @@ in serviceConfig = { Type = "simple"; Restart = "always"; - EnvironmentFile = secrets.fup.environment; - ExecStart = "${pkg}/bin/fup serve --config=${fupConfig}"; - DynamicUser = true; + EnvironmentFile = config.my.vault.secrets.fup-environment.path; + ExecStart = "${pkg}/bin/fup serve --config=/etc/fup.yaml"; + User = "fup"; }; }; + environment.etc."fup.yaml".source = config.my.vault.secrets.fup-config.path; + my.vault.secrets.fup-config = { + reloadOrRestartUnits = ["fup.service"]; + group = "fup"; + template = '' + {{ with secret "kv/apps/fup" }} + {{ .Data.data.config }} + {{ end }} + ''; + }; + my.vault.secrets.fup-environment = { + reloadOrRestartUnits = ["fup.service"]; + group = "fup"; + template = '' + {{ with secret "kv/apps/fup" }} + {{ .Data.data.environment }} + {{ end }} + ''; + }; }; } diff --git a/ops/vault/cfg/config.nix b/ops/vault/cfg/config.nix index 592cfec952..1e6fa3b6db 100644 --- a/ops/vault/cfg/config.nix +++ b/ops/vault/cfg/config.nix @@ -42,6 +42,7 @@ }; my.apps.deluge = {}; + my.apps.fup = {}; my.apps.matrix-synapse = {}; my.apps.pomerium = {}; my.apps.quotesdb = {}; @@ -71,4 +72,5 @@ my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ]; my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ]; my.servers.bvm-prosody.apps = [ "turn" ]; + my.servers.blade-tuvok.apps = [ "fup" ]; }