diff options
| -rw-r--r-- | hosts/poweredge/configuration.nix | 2 | ||||
| -rw-r--r-- | hosts/poweredge/ddns-updater.nix | 21 |
2 files changed, 13 insertions, 10 deletions
diff --git a/hosts/poweredge/configuration.nix b/hosts/poweredge/configuration.nix index 301566c..0119620 100644 --- a/hosts/poweredge/configuration.nix +++ b/hosts/poweredge/configuration.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: { imports = [ - #./ddns-updater.nix + ./ddns-updater.nix ./fileshares.nix ./networking.nix #./notification-mailer.nix # TODO move some of this stuff to archetype diff --git a/hosts/poweredge/ddns-updater.nix b/hosts/poweredge/ddns-updater.nix index 103c23b..319e3c4 100644 --- a/hosts/poweredge/ddns-updater.nix +++ b/hosts/poweredge/ddns-updater.nix @@ -1,19 +1,22 @@ -{ config, lib, ... }: { - # Password file for mail application password +{ config, lib, ... }: let + credential = "config"; +in { + # Config for ddns-updater, owned by the ddns-updater systemd service user sops.secrets.ddns-updater-config.sopsFile = ./resources/secrets/ddns-updater-config.yaml; + # Load secret as a credential in systemd service + systemd.services.ddns-updater.serviceConfig = { + LoadCredential = [ + "${credential}:${config.sops.secrets.ddns-updater-config.path}" + ]; + }; + # Enable ddns updater services.ddns-updater = { enable = true; environment = { SERVER_ENABLED="no"; - CONFIG_FILEPATH = config.sops.secrets.ddns-updater-config.path; - PERIOD = "5m"; + CONFIG_FILEPATH = "%d/${credential}"; }; }; - - # FIXME Required root permissions to open secret - systemd.services.ddns-updater = { - serviceConfig.DynamicUser = lib.mkForce false; - }; } |