3 files changed, 23 insertions, 44 deletions

diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index 4eb1d6411..fe149448b 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -24,13 +24,8 @@ let
             type = types.str;
           };
           private_key = mkOption {
-            type = types.secret-file;
-            default = {
-              name = "exim.dkim_private_key/${config.domain}";
-              path = "/run/krebs.secret/${config.domain}.dkim_private_key";
-              owner.name = "exim";
-              source-path = toString <secrets> + "/${config.domain}.dkim.priv";
-            };
+            type = types.absolute-pathname;
+            default = toString <secrets> + "/${config.domain}.dkim.priv";
             defaultText = "‹secrets/‹domain›.dkim.priv›";
           };
           selector = mkOption {
@@ -111,24 +106,13 @@ let
   };
 
   imp = {
-    krebs.secret.files = listToAttrs (flip map cfg.dkim (dkim: {
-      name = "exim.dkim_private_key/${dkim.domain}";
-      value = dkim.private_key;
-    }));
-    systemd.services = mkIf (cfg.dkim != []) {
-      exim = {
-        after = flip map cfg.dkim (dkim:
-          config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
-        );
-        partOf = flip map cfg.dkim (dkim:
-          config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
-        );
-      };
-    };
+    krebs.systemd.services.exim = {};
+    systemd.services.exim.serviceConfig.LoadCredential =
+      map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim;
     krebs.exim = {
       enable = true;
       config = /* exim */ ''
-        keep_environment =
+        keep_environment = CREDENTIALS_DIRECTORY
 
         primary_hostname = ${cfg.primary_hostname}
 
@@ -242,8 +226,9 @@ let
           ${optionalString (cfg.dkim != []) (indent /* exim */ ''
             dkim_canon = relaxed
             dkim_domain = $sender_address_domain
-            dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
+            dkim_private_key = ''${lookup{$sender_address_domain.dkim_private_key}dsearch,ret=full{''${env{CREDENTIALS_DIRECTORY}{$value}fail}}}
             dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}}
+            dkim_strict = true
           '')}
           helo_data = ''${if eq{$acl_m_special_dom}{}  \
                                {$primary_hostname}   \
@@ -281,10 +266,6 @@ let
     inherit (cfg) internet-aliases;
     inherit (cfg) system-aliases;
   } // optionalAttrs (cfg.dkim != []) {
-    dkim_private_key = flip map cfg.dkim (dkim: {
-      from = dkim.domain;
-      to = dkim.private_key.path;
-    });
     dkim_selector = flip map cfg.dkim (dkim: {
       from = dkim.domain;
       to = dkim.selector;
diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix
index 0312c62fd..c4cfb9a49 100644
--- a/krebs/3modules/repo-sync.nix
+++ b/krebs/3modules/repo-sync.nix
@@ -122,13 +122,9 @@ let
     };
 
     privateKeyFile = mkOption {
-      type = types.secret-file;
-      default = {
-        name = "repo-sync-key";
-        path = "${cfg.stateDir}/ssh.priv";
-        owner = cfg.user;
-        source-path = toString <secrets> + "/repo-sync.ssh.key";
-      };
+      type = types.absolute-pathname;
+      default = toString <secrets> + "/repo-sync.ssh.key";
+      defaultText = "‹secrets/repo-sync.ssh.key›";
     };
 
     unitConfig = mkOption {
@@ -144,14 +140,16 @@ let
   };
 
   imp = {
-    krebs.secret.files.repo-sync-key = cfg.privateKeyFile;
     users.users.${cfg.user.name} = {
       inherit (cfg.user) home name uid;
       createHome = true;
+      group = cfg.user.name;
       description = "repo-sync user";
       isSystemUser = true;
     };
 
+    users.groups.${cfg.user.name} = {};
+
     systemd.timers = mapAttrs' (name: repo:
       nameValuePair "repo-sync-${name}" {
         description = "repo-sync timer";
@@ -160,6 +158,10 @@ let
       }
     ) cfg.repos;
 
+    krebs.systemd.services = mapAttrs' (name: _:
+      nameValuePair "repo-sync-${name}" {}
+    ) cfg.repos;
+
     systemd.services = mapAttrs' (name: repo:
       let
         repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json"
@@ -168,16 +170,10 @@ let
           });
       in nameValuePair "repo-sync-${name}" {
         description = "repo-sync";
-        after = [
-          config.krebs.secret.files.repo-sync-key.service
-          "network.target"
-        ];
-        partOf = [
-          config.krebs.secret.files.repo-sync-key.service
-        ];
+        after = [ "network.target" ];
 
         environment = {
-          GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.privateKeyFile.path}";
+          GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i $CREDENTIALS_DIRECTORY/ssh_key";
           REPONAME = "${name}.git";
         };
 
@@ -185,6 +181,7 @@ let
         serviceConfig = {
           Type = "simple";
           PermissionsStartOnly = true;
+          LoadCredential = "ssh_key:${cfg.privateKeyFile}";
           ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}";
           WorkingDirectory = cfg.stateDir;
           User = "repo-sync";
diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix
index 0ce44391e..294f80a3c 100644
--- a/krebs/3modules/systemd.nix
+++ b/krebs/3modules/systemd.nix
@@ -31,7 +31,8 @@
             lib.types.absolute-pathname.check
             (map
               (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
-              config.systemd.services.${serviceName}.serviceConfig.LoadCredential);
+              (lib.toList
+                config.systemd.services.${serviceName}.serviceConfig.LoadCredential));
       }
     ) config.krebs.systemd.services;