536e01e967
This makes the journaldriver configuration machine-independent. The secret is loaded from agenix instead of being persisted on disk. Change-Id: I592ae7f5726fcb7f37a406f69dcf5ac498eeb1b7 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5302 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
26 lines
847 B
Nix
26 lines
847 B
Nix
# Configures journaldriver to forward to the tvl-fyi GCP project from
|
|
# TVL machines.
|
|
{ config, depot, lib, pkgs, ... }:
|
|
|
|
{
|
|
imports = [
|
|
(depot.third_party.agenix.src + "/modules/age.nix")
|
|
];
|
|
|
|
age.secrets.journaldriver.file = depot.ops.secrets."journaldriver.age";
|
|
|
|
services.journaldriver = {
|
|
enable = true;
|
|
googleCloudProject = "tvl-fyi";
|
|
logStream = config.networking.hostName;
|
|
};
|
|
|
|
# Override the systemd service defined in the nixpkgs module to use
|
|
# the credentials provided by agenix.
|
|
systemd.services.journaldriver = {
|
|
serviceConfig = {
|
|
LoadCredential = "journaldriver.json:/run/agenix/journaldriver";
|
|
ExecStart = lib.mkForce "${pkgs.coreutils}/bin/env GOOGLE_APPLICATION_CREDENTIALS=\"\${CREDENTIALS_DIRECTORY}/journaldriver.json\" ${depot.ops.journaldriver}/bin/journaldriver";
|
|
};
|
|
};
|
|
}
|