binary-cache: move to EnvironmentFile=

Load the environment via EnvironmentFile=.
This avoids the service crashing the first time, because the initial
transaction didn't see the service drop-ins created by cloud-init yet.

hosts/binary-cache/configuration.nix

@@ -53,6 +53,7 @@
         + ":azureblob:binary-cache-v1";
       # On successful startup, grant caddy write permissions to the socket.
       ExecStartPost = "${pkgs.acl.bin}/bin/setfacl -m u:caddy:rw %t/rclone-http/socket";
+      EnvironmentFile = "/run/rclone-http.env";
     };
   };
 
@@ -92,6 +93,7 @@
     ""
     "${pkgs.caddy}/bin/caddy run --environ --config ${config.services.caddy.configFile}/Caddyfile"
   ];
+  systemd.services.caddy.serviceConfig.EnvironmentFile = "/run/caddy.env";
 
   # Expose the HTTP and HTTPS port.
   networking.firewall.allowedTCPPorts = [80 443];

terraform/jenkins/binary_cache.tf

@@ -35,22 +35,17 @@ module "binary_cache_vm" {
         ssh_authorized_keys = local.ssh_keys[user]
       }
     ]
-    # TODO: this should be EnvironmentFile, so we don't need to restart
+    # See corresponding EnvironmentFile= directives in services
     write_files = [
       {
-        content = "[Service]\nEnvironment=AZURE_STORAGE_ACCOUNT_NAME=ghafbinarycache",
-        "path" = "/run/systemd/system/rclone-http.service.d/cloud-init.conf"
+        content = "AZURE_STORAGE_ACCOUNT_NAME=ghafbinarycache",
+        "path"  = "/run/rclone-http.env"
       },
       {
-        content = "[Service]\nEnvironment=SITE_ADDRESS=ghaf-binary-cache.northeurope.cloudapp.azure.com",
-        "path" = "/run/systemd/system/caddy.service.d/cloud-init.conf"
+        content = "SITE_ADDRESS=ghaf-binary-cache.northeurope.cloudapp.azure.com",
+        "path"  = "/run/caddy.env"
       },
     ],
-    runcmd = [
-      "systemctl daemon-reload", # pick up drop-ins
-      "systemctl restart caddy.service",
-      "systemctl restart rclone-http.service"
-    ]
   })])
 
   subnet_id = azurerm_subnet.binary_cache.id