Update credential loading, create system user

This commit is contained in:
Felix Albrigtsen 2023-08-27 03:49:51 +02:00
parent 6f125fdb1f
commit a32894b305
1 changed files with 41 additions and 16 deletions

View File

@ -2,12 +2,24 @@
let
cfg = config.services.pvv-calendar-bot;
inherit (lib) mkDefault mkEnableOption mkPackageOption mkIf mkOption types mdDoc;
in {
in
{
options.services.pvv-calendar-bot = {
enable = mkEnableOption (lib.mdDoc "Enable pvv-calendar-bot to post to matrix");
package = mkPackageOption pkgs "pvv-calendar-bot" {};
package = mkPackageOption pkgs "pvv-calendar-bot" { };
user = mkOption {
type = types.str;
default = "pvv-calendar-bot";
};
group = mkOption {
type = types.str;
default = "pvv-calendar-bot";
};
settings = {
onCalendar = mkOption {
type = types.str;
@ -37,11 +49,22 @@ in {
type = types.path;
description = mdDoc "Path to secrets file that defines MATRIX_ACCESS_TOKEN";
};
};
};
config = mkIf cfg.enable {
users.users = mkIf (cfg.user == "pvv-calendar-bot") {
pvv-calendar-bot = {
description = "PVV Calendar Matrix Bot User";
isSystemUser = true;
group = cfg.group;
};
};
users.groups = mkIf (cfg.group == "pvv-calendar-bot") {
pvv-calendar-bot = { };
};
systemd.timers."pvv-calendar-bot" = {
wantedBy = [ "timers.target" ];
timerConfig = {
@ -51,25 +74,27 @@ in {
};
systemd.services."pvv-calendar-bot" = {
preStart = let
envFile = pkgs.writeText "pvv-calendar-bot-env" ''
MATRIX_URL=${cfg.settings.matrix.homeserver}
MATRIX_USER=${cfg.settings.matrix.user}
ANNOUNCEMENT_CHANNEL=${cfg.settings.matrix.channel}
MATRIX_TOKEN=@MATRIX_ACCESS_TOKEN@
'';
in ''
${pkgs.replace-secret}/bin/replace-secret '@MATRIX_ACCESS_TOKEN@' ${cfg.settings.secretsFile} /run/pvv-calendar-bot/env
'';
preStart =
let
envFile = pkgs.writeText "pvv-calendar-bot-env" ''
MATRIX_URL=${cfg.settings.matrix.homeserver}
MATRIX_USER=${cfg.settings.matrix.user}
ANNOUNCEMENT_CHANNEL=${cfg.settings.matrix.channel}
MATRIX_TOKEN=@MATRIX_ACCESS_TOKEN@
'';
in
''
install -Dm600 ${envFile} /run/pvv-calendar-bot/env
${pkgs.replace-secret}/bin/replace-secret '@MATRIX_ACCESS_TOKEN@' ${cfg.settings.secretsFile} /run/pvv-calendar-bot/env
'';
serviceConfig = {
ExecStart = "${cfg.package}/bin/pvv-calendar-bot";
RuntimeDirectory = "pvv-calendar-bot";
DynamicUser = true;
EnvironmentFile = [ "-/run/pvv-calendar-bot/env" ];
User = cfg.user;
Group = cfg.group;
};
};
};
}