Update credential loading, create system user

This commit is contained in:
Felix Albrigtsen 2023-08-27 03:49:51 +02:00
parent 6f125fdb1f
commit a32894b305
1 changed files with 41 additions and 16 deletions

View File

@ -2,12 +2,24 @@
let let
cfg = config.services.pvv-calendar-bot; cfg = config.services.pvv-calendar-bot;
inherit (lib) mkDefault mkEnableOption mkPackageOption mkIf mkOption types mdDoc; inherit (lib) mkDefault mkEnableOption mkPackageOption mkIf mkOption types mdDoc;
in { in
{
options.services.pvv-calendar-bot = { options.services.pvv-calendar-bot = {
enable = mkEnableOption (lib.mdDoc "Enable pvv-calendar-bot to post to matrix"); enable = mkEnableOption (lib.mdDoc "Enable pvv-calendar-bot to post to matrix");
package = mkPackageOption pkgs "pvv-calendar-bot" {}; package = mkPackageOption pkgs "pvv-calendar-bot" { };
user = mkOption {
type = types.str;
default = "pvv-calendar-bot";
};
group = mkOption {
type = types.str;
default = "pvv-calendar-bot";
};
settings = { settings = {
onCalendar = mkOption { onCalendar = mkOption {
type = types.str; type = types.str;
@ -37,11 +49,22 @@ in {
type = types.path; type = types.path;
description = mdDoc "Path to secrets file that defines MATRIX_ACCESS_TOKEN"; description = mdDoc "Path to secrets file that defines MATRIX_ACCESS_TOKEN";
}; };
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.users = mkIf (cfg.user == "pvv-calendar-bot") {
pvv-calendar-bot = {
description = "PVV Calendar Matrix Bot User";
isSystemUser = true;
group = cfg.group;
};
};
users.groups = mkIf (cfg.group == "pvv-calendar-bot") {
pvv-calendar-bot = { };
};
systemd.timers."pvv-calendar-bot" = { systemd.timers."pvv-calendar-bot" = {
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig = { timerConfig = {
@ -51,25 +74,27 @@ in {
}; };
systemd.services."pvv-calendar-bot" = { systemd.services."pvv-calendar-bot" = {
preStart = let preStart =
let
envFile = pkgs.writeText "pvv-calendar-bot-env" '' envFile = pkgs.writeText "pvv-calendar-bot-env" ''
MATRIX_URL=${cfg.settings.matrix.homeserver} MATRIX_URL=${cfg.settings.matrix.homeserver}
MATRIX_USER=${cfg.settings.matrix.user} MATRIX_USER=${cfg.settings.matrix.user}
ANNOUNCEMENT_CHANNEL=${cfg.settings.matrix.channel} ANNOUNCEMENT_CHANNEL=${cfg.settings.matrix.channel}
MATRIX_TOKEN=@MATRIX_ACCESS_TOKEN@ MATRIX_TOKEN=@MATRIX_ACCESS_TOKEN@
''; '';
in '' in
''
install -Dm600 ${envFile} /run/pvv-calendar-bot/env
${pkgs.replace-secret}/bin/replace-secret '@MATRIX_ACCESS_TOKEN@' ${cfg.settings.secretsFile} /run/pvv-calendar-bot/env ${pkgs.replace-secret}/bin/replace-secret '@MATRIX_ACCESS_TOKEN@' ${cfg.settings.secretsFile} /run/pvv-calendar-bot/env
''; '';
serviceConfig = { serviceConfig = {
ExecStart = "${cfg.package}/bin/pvv-calendar-bot"; ExecStart = "${cfg.package}/bin/pvv-calendar-bot";
RuntimeDirectory = "pvv-calendar-bot"; RuntimeDirectory = "pvv-calendar-bot";
DynamicUser = true;
EnvironmentFile = [ "-/run/pvv-calendar-bot/env" ]; EnvironmentFile = [ "-/run/pvv-calendar-bot/env" ];
User = cfg.user;
Group = cfg.group;
}; };
}; };
}; };
} }