-
-
Save Xe/5c29d8174ac30b1656ab2ec56837c272 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[root@chrysalis:/srv/within/tron]# ls -l /run/keys/tron | |
-rw-r----- 1 tron within 230 Nov 7 19:55 /run/keys/tron | |
[root@chrysalis:/srv/within/tron]# su -s $(which bash) tron | |
bash: /srv/within/tron/.bashrc: Permission denied | |
[tron@chrysalis:~]$ id | |
uid=999(tron) gid=999(within) groups=999(within) | |
[tron@chrysalis:~]$ ls -l /run/keys/tron | |
ls: cannot access '/run/keys/tron': Permission denied |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ config, lib, pkgs, ... }: | |
with lib; { | |
options.within.services.tron.enable = | |
mkEnableOption "Tron fights for the users"; | |
config = mkIf config.within.services.tron.enable { | |
# User account | |
users.users.tron = { | |
createHome = true; | |
description = "Tron fights for the users"; | |
isSystemUser = true; | |
group = "within"; | |
home = "/srv/within/tron"; | |
}; | |
# Secret config | |
deployment.keys.tron = { | |
text = builtins.readFile ./secrets/tron.env; | |
user = "tron"; | |
group = "within"; | |
permissions = "0640"; | |
}; | |
# Service | |
systemd.services.tron = { | |
wantedBy = [ "multi-user.target" ]; | |
after = [ "tron-key.service" ]; | |
wants = [ "tron-key.service" ]; | |
serviceConfig = { | |
User = "tron"; | |
Group = "within"; | |
Restart = "on-failure"; | |
}; | |
script = let tron = pkgs.within.tron; | |
in '' | |
export REGEXES=${tron}/regexes.dhall | |
exec ${tron}/bin/tron | |
''; | |
}; | |
}; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment