forked from nix-community/buildbot-nix
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathattic-watch-store.nix
34 lines (32 loc) · 1.28 KB
/
attic-watch-store.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
{ pkgs
, config
, ...
}: {
# sops-nix (https://github.com/Mic92/sops-nix) is just an example, here.
# Replace with your own secret management as needed: https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes
sops.secrets."attic/prod-auth-token" = { sopsFile = ../secrets.yaml; };
sops.secrets."attic/netrc-file-pull-push" = { sopsFile = ../secrets.yaml; };
# Add netrc file for this machine to do its normal thing with the cache, as a machine.
nix.settings.netrc-file = config.sops.secrets."attic/netrc-file-pull-push".path;
systemd.services.attic-watch-store = {
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
environment.HOME = "/var/lib/attic-watch-store";
serviceConfig = {
DynamicUser = true;
MemoryHigh = "5%";
MemoryMax = "10%";
LoadCredential = "prod-auth-token:${config.sops.secrets."attic/prod-auth-token".path}";
StateDirectory = "attic-watch-store";
};
path = [ pkgs.attic-client ];
script = ''
set -eux -o pipefail
ATTIC_TOKEN=$(< $CREDENTIALS_DIRECTORY/prod-auth-token)
# Replace https://cache.<domain> with your own cache URL.
attic login prod https://cache.<domain> $ATTIC_TOKEN
attic use prod
exec attic watch-store prod:prod
'';
};
}