Move etherpad and mediagoblin keys to secure location

[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / mediagoblin / default.nix

diff --git a/nixops/modules/websites/tools/mediagoblin/default.nix b/nixops/modules/websites/tools/mediagoblin/default.nix
index 54c0478d022cc6779466134f615f134d7fb6a70d..9b058beae04fa7f7c20b28837f850d66b9c3e8d6 100644 (file)
--- a/nixops/modules/websites/tools/mediagoblin/default.nix
+++ b/nixops/modules/websites/tools/mediagoblin/default.nix
@@ -12,6 +12,7 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    deployment.keys = mediagoblin.keys;
     ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid;
     ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid;
 
@@ -22,6 +23,7 @@ in {
       description = "Mediagoblin user";
       home = mediagoblin.varDir;
       useDefaultShell = true;
+      extraGroups = [ "keys" ];
     };
 
     users.groups.mediagoblin.gid = config.ids.gids.mediagoblin;
@@ -29,7 +31,8 @@ in {
     systemd.services.mediagoblin-web = {
       description = "Mediagoblin service";
       wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
+      after = [ "network.target" "tools-mediagoblin-key.service" ];
+      wants = [ "postgresql.service" "redis.service" "tools-mediagoblin-key.service" ];
 
       environment.SCRIPT_NAME = "/mediagoblin/";