Move jinx to system and assign postgres database
We wanted an easy way to view the jinx logs and to avoid using a
separate user account which is more complicated to operate, and has more
challenges in deployment, than a normal systemd service
Change-Id: I436247a14925316ec3dcd77fb18875dc35c69560
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/398
Tested-by: Skyler Grey <minion@clicks.codes>
Reviewed-by: Samuel Shuert <coded@clicks.codes>
diff --git a/modules/common/jinx.nix b/modules/common/jinx.nix
new file mode 100644
index 0000000..33f8a49
--- /dev/null
+++ b/modules/common/jinx.nix
@@ -0,0 +1,16 @@
+{ config, pkgs, lib, ... }: {
+ systemd.services.jinx = { # running for Pinea
+ serviceConfig = {
+ User = "jinx";
+ ExecStart = "${pkgs.nix}/bin/nix develop --command pnpm start";
+ WorkingDirectory = "/services/jinx/Jinx";
+ LoadCredential = "postgres_password:${config.sops.secrets.clicks_jinx_db_password.path}";
+ Environment = [
+ "PATH=${pkgs.git}/bin"
+ "DATABASE_PASSWORD_FILE=%d/postgres_password"
+ ];
+ };
+ wantedBy = [ "default.target" ];
+ description = "Run Jinx";
+ };
+}
diff --git a/modules/common/mailcow.nix b/modules/common/mailcow.nix
index 9073d56..f046684 100644
--- a/modules/common/mailcow.nix
+++ b/modules/common/mailcow.nix
@@ -24,7 +24,12 @@
certs = lib.pipe mailACMEHosts [
(map (name: { inherit name; value = {}; }))
builtins.listToAttrs
- ];
+ ] // {
+ "mail.clicks.codes".postRun = ''
+ cp -r $(pwd) /opt/mailcow-dockerized/data/assets/ssl/
+ cp -r $(pwd)/* /opt/mailcow-dockerized/data/assets/ssl/
+ '';
+ };
defaults.postRun = "cp -r $(pwd) /opt/mailcow-dockerized/data/assets/ssl/";
};
}
diff --git a/modules/common/postgres.nix b/modules/common/postgres.nix
index a4e107e..7955bc2 100644
--- a/modules/common/postgres.nix
+++ b/modules/common/postgres.nix
@@ -15,8 +15,7 @@
log_destination = lib.mkForce "syslog";
};
- ensureDatabases =
- [ "vaultwarden" "gerrit" "privatebin" "keycloak" "nextcloud" "synapse" "taiga" ];
+ ensureDatabases = [ "vaultwarden" "gerrit" "privatebin" "keycloak" "nextcloud" "synapse" "taiga" "jinx" ];
ensureUsers = [
{
@@ -45,6 +44,14 @@
name = "taiga";
ensureDBOwnership = true;
}
+ {
+ name = "taiga";
+ ensureDBOwnership = true;
+ }
+ {
+ name = "jinx";
+ ensureDBOwnership = true;
+ }
] ++ (map (name: ({
inherit name;
})) [ "minion" "coded" "pineafan" ]);
@@ -53,6 +60,9 @@
authentication = "host all all samenet scram-sha-256";
};
+ systemd.services.postgresql.restartTriggers = [
+ config.systemd.services.postgresql.postStart
+ ];
systemd.services.postgresql.postStart = lib.mkMerge [
(let
database = "synapse";
@@ -93,6 +103,10 @@
user = "taiga";
passwordFile = config.sops.secrets.clicks_taiga_db_password.path;
}
+ {
+ user = "jinx";
+ passwordFile = config.sops.secrets.clicks_jinx_db_password.path;
+ }
] [
(map (userData: ''
$PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';"
@@ -121,6 +135,7 @@
"clicks_privatebin_db_password"
"clicks_nextcloud_db_password"
"clicks_taiga_db_password"
+ "clicks_jinx_db_password"
] [
(map (name: {
inherit name;
diff --git a/secrets/postgres.json b/secrets/postgres.json
index ed8fc23..40d5f59 100644
--- a/secrets/postgres.json
+++ b/secrets/postgres.json
@@ -5,6 +5,7 @@
"clicks_privatebin_db_password": "ENC[AES256_GCM,data:T+NIe961xTXO/B9RCr/KlhlOLHcz8RfVnCn/+PexGUSeQ9suQ1wdILt14GvEuAUczN3bTT1sy9wRM656lAwWA/nsF3yML+5VwQo/aKo2R66Ga9Lnslg8tquQuwEpWb2tRg6BDEwUl0iLrvGKODAKuu3ClXJEJTASeTCZMv0jUQY=,iv:NFsZbKKCfji9DGDRQHFfH+insWGxbS6xqsng40ckC4M=,tag:LR5Ay8ZowkD7s3pEHjws2w==,type:str]",
"clicks_nextcloud_db_password": "ENC[AES256_GCM,data:Tu4BRo0qkpp+RXYlQO7PIfZM40tquvQUt9hbtZdKRotrOg81CGjZLISjNELr8pLCQK4AAfCJ7UPdR0ZztJfhrj5vPnaQM/2nHO4aMuhfnkOX00MDJhum/j1I0Adx/Au9zAaIONaKMBXLmX/g3FU2s6Yp7OtZ7/4FoWAYbG4zSbY=,iv:LjlkKkVNybg9EU9pytsmyYJrFMym0RmSvIFI/KKcpyc=,tag:rPyOh+KtAmo9OeY0Wm1sCQ==,type:str]",
"clicks_taiga_db_password": "ENC[AES256_GCM,data:z6XN0q7pGnaevH2WHd8Cjin8HwmhgZUwsZXYBAJBvvDYGWKOZAkkb6uDwdkEF7ZGtRwvjPTxH2VNoncNJJOYDngbRIQz+ntkVTKfmsbdBjKBWDKHbho5+IImeuetMFRkpwsCCyoRgu7r/3JVsW+rzIaOXvw4FjFTknadA+nFN2Q=,iv:KVJdVp3jSiGrpD1bl+S4H+iIklHp7W4zo0niq02mUMc=,tag:g/12Hjro169Kr41WhS0kSg==,type:str]",
+ "clicks_jinx_db_password": "ENC[AES256_GCM,data:uRg4ayNuhQN/udG00jUB93XKwSL6OehmGUY9/QhRugnbscLQSf+Hm6OkawyR9tPrtgROXVXysNMNJ1A27OVPTDf32TP+vz0Lw+dvc1NBM1jWcl4pi9UIcndDifLigVgYWpHL0oUQR+oHVXwnHnykGdPqXYDtycedD94fcmqI6Wg=,iv:TfPQEDvkqt3Jw+ZIWDk/B2elheyRzUpYDIDqpOV7F+I=,tag:DrzwWItSWNY53J/jEbHILw==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
@@ -28,10 +29,10 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3clFVS0JZSkhmNElLa3N2\nNFdkT091dzZPdXUyOXNUNkk1QzNMS0hJengwCjcya01LanZhTXNsaGpQdVIvNlRl\nZnljZkhZYWVUR2xJckJPbUpnOSt4SmMKLS0tIElMcGNRTVJudXFORG4zZ3drdG1C\nYTZPcDh4OGwzUTZDVlhWNk55bDZMd2sK/F5ZGw6Kf8nWRXDobOonFDtPlSSU5c4u\nAEvihsNSDR3MwvQgu5jJCuCeRGLdXaOqBBEYrIamIcAlVKGeT6y/UA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
- "lastmodified": "2023-12-03T00:26:13Z",
- "mac": "ENC[AES256_GCM,data:TuCOR3a2Ee3+YynXhLhuAALagisAoyoJmvlMK45R/iCK3p9kyWNpH1NkNgmA1Ye493uxGKn0Qz5aU5pQFjRkZL2voNU5m+mg0BhwGDNuD9DMTriDcEPmj+MVccK0cSN3pk60r5Mm9qstnCu/ICI3Vudo0V2OHA9YU/ov2i/JT6U=,iv:d/JNr+sa0GLBRF3s7vwIfZjNv+G4/QPdj6Z0GRNK/+I=,tag:VQQF9fRmcAOL9p61gMUEuA==,type:str]",
+ "lastmodified": "2024-02-14T19:15:22Z",
+ "mac": "ENC[AES256_GCM,data:sspfUgxhzZQLrTH2uH1PcV0eOoYwFhj6e1KPjLqV14c0UOqmP7h/w/rydZPRTfxH9K/QifRg+fCbcEIVDTfhgSxg++GUJBnmv8kzAWKmrheN4GjuHtKY9SZ6xICLdQd+Jcy7mEGZKOjEJVt8kGEqk1nkKfiF6Q/5VfiZ2iguLSc=,iv:CLq8VCB7NvITHFBpEuBa6dQW0vuR5XKw92GdY9PrJ7E=,tag:nU0b+lt3XZiUYpibgnxjIA==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
- "version": "3.7.3"
+ "version": "3.8.1"
}
}
\ No newline at end of file
diff --git a/services/jinx/default.nix b/services/jinx/default.nix
index 9f7fd42..0967ef4 100644
--- a/services/jinx/default.nix
+++ b/services/jinx/default.nix
@@ -1,10 +1 @@
-{ pkgs, config, lib, ... }: {
- # Running for Pinea
- systemd.user.services."pinea.jinx" = {
- Unit.Description = "Run Jinx";
- Install.WantedBy = [ "default.target" ];
- Service.ExecStart = "${pkgs.nix}/bin/nix develop --command pnpm start";
- Service.WorkingDirectory = "${config.home.homeDirectory}/Jinx";
- Service.Environment = "PATH=${pkgs.git}/bin";
- };
-}
+{}