ref: make use of systemd LoadCredential

- consistently use LoadCredential in order to pass credentials to a process
input-output-hk · Jan 9, 2022 · 089e60d · 089e60d
1 parent b038cc0
commit 089e60d
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 22 deletions.
diff --git a/modules/ingress-config.nix b/modules/ingress-config.nix
@@ -181,6 +181,9 @@
         TimeoutStopSec = "30s";
         RestartSec = "10s";
         Restart = "on-failure";
+        LoadCredential = [
+          "${builtins.baseNameOf hashiTokens.vault}:${hashiTokens.vault}"
+        ];
       };
 
       unitConfig = {
@@ -199,7 +202,7 @@
       script = ''
         set -euo pipefail
 
-        export VAULT_TOKEN="$(< ${hashiTokens.vault})"
+        export VAULT_TOKEN="$(< $CREDENTIALS_DIRECTORY/${builtins.baseNameOf hashiTokens.vault})"
         CONSUL_HTTP_TOKEN="$(vault read -field token consul/creds/ingress)"
         export CONSUL_HTTP_TOKEN
 

diff --git a/modules/nomad-autoscaler.nix b/modules/nomad-autoscaler.nix
@@ -609,20 +609,18 @@ in {
       serviceConfig = {
         StateDirectory = "nomad-autoscaler";
         RuntimeDirectory = "nomad-autoscaler";
+        LoadCredential = [
+          "${builtins.baseNameOf hashiTokens.nomad-autoscaler}:${hashiTokens.nomad-autoscaler}"
+        ];
+
 
         # DynamicUser = true;
         # User = "nomad-autoscaler";
         # Group = "nomad-autoscaler";
 
-        ExecStartPre = pkgs.writeBashChecked "nomad-autoscaler-pre" ''
-          set -exuo pipefail
-          cp ${hashiTokens.nomad-autoscaler} .
-        '';
-
         ExecStart = pkgs.writeBashChecked "nomad-autsocaler" ''
           set -euo pipefail
-
-          NOMAD_TOKEN="$(< ${builtins.baseNameOf hashiTokens.nomad-autoscaler})"
+          NOMAD_TOKEN="$(< $CREDENTIALS_DIRECTORY/${builtins.baseNameOf hashiTokens.nomad-autoscaler})"
           export NOMAD_TOKEN
           unset AWS_DEFAULT_REGION
 

diff --git a/modules/nomad-snapshots.nix b/modules/nomad-snapshots.nix
@@ -147,6 +147,9 @@ let
       Type = "oneshot";
       Restart = "on-failure";
       RestartSec = "30s";
+      LoadCredential = [
+        "${builtins.baseNameOf hashiTokens.nomad-snapshot}:${hashiTokens.nomad-snapshot}"
+      ];
       ExecStart = pkgs.writeBashChecked "nomad-snapshot-${job}-script" ''
         set -exuo pipefail
 
@@ -168,16 +171,10 @@ let
         }
 
         exportToken () {
-          if [ ! -f ${hashiTokens.nomad-snapshot} ]; then
-            echo "Suitable nomad token for snapshotting not found."
-            echo "Ensure the appropriate token for snapshotting is available.";
-            exit 0;
-          else
-            set +x
-            NOMAD_TOKEN="$(< ${hashiTokens.nomad-snapshot})"
-            export NOMAD_TOKEN
-            set -x
-          fi
+          set +x
+          NOMAD_TOKEN=$(< "$CREDENTIALS_DIRECTORY/${builtins.baseNameOf hashiTokens.nomad-snapshot}")
+          export NOMAD_TOKEN
+          set -x
         }
 
         isNotLeader () {

diff --git a/modules/nomad.nix b/modules/nomad.nix
@@ -1161,10 +1161,13 @@ in {
           set -exuo pipefail
           # ${bittelib.ensureDependencies pkgs [ "consul" "vault" ]}
           cp /etc/ssl/certs/cert-key.pem .
-          cp ${hashiTokens.vault} .
           chown --reference . ./*.pem
         '';
       in {
+        LoadCredential = [
+          "${builtins.baseNameOf hashiTokens.vault}:${hashiTokens.vault}"
+          "${builtins.baseNameOf hashiTokens.consul-nomad}:${hashiTokens.consul-nomad}"
+        ];
         ExecStartPre = "!${start-pre}";
         ExecStart = let
           args = [ "${cfg.package}/bin/nomad" "agent" ]
@@ -1180,7 +1183,7 @@ in {
           set -euo pipefail
 
           ${lib.optionalString cfg.server.enabled ''
-            VAULT_TOKEN="$(< ${builtins.baseNameOf hashiTokens.vault})"
+            VAULT_TOKEN="$(< $CREDENTIALS_DIRECTORY/${builtins.baseNameOf hashiTokens.vault})"
             export VAULT_TOKEN
 
             token="$(vault token create -policy ${cfg.tokenPolicy} -period 72h -orphan -field token)"
@@ -1189,7 +1192,7 @@ in {
 
           exec ${
             lib.concatStringsSep " " args
-          } -consul-token "$(< ${hashiTokens.consul-nomad})"
+          } -consul-token "$(< $CREDENTIALS_DIRECTORY/${builtins.baseNameOf hashiTokens.consul-nomad})"
         '';
 
         KillMode = "process";

diff --git a/modules/vault-snapshots.nix b/modules/vault-snapshots.nix
@@ -148,6 +148,9 @@ let
       Type = "oneshot";
       Restart = "on-failure";
       RestartSec = "30s";
+      LoadCredential = [
+        "${builtins.baseNameOf hashiTokens.vault}:${hashiTokens.vault}"
+      ];
       ExecStart = pkgs.writeBashChecked "vault-snapshot-${job}-script" ''
         set -exuo pipefail
 
@@ -170,7 +173,7 @@ let
 
         exportToken () {
           set +x
-          VAULT_TOKEN="$(< ${hashiTokens.vault})"
+          VAULT_TOKEN="$(< "$CREDENTIALS_DIRECTORY"/${builtins.baseNameOf hashiTokens.vault})"
           export VAULT_TOKEN
           set -x
         }