Merge pull request #181377 from mayflower/mxisd-secrets

nixos/mxisd: allow passing secrets
2022-07-18 15:10:49 +02:00 · 2022-07-18 15:10:49 +02:00 · 179688c7c8
commit 179688c7c8
parent 8b72dae17b c2c82fbe43
1 changed files with 15 additions and 1 deletions
--- a/nixos/modules/services/networking/mxisd.nix
+++ b/nixos/modules/services/networking/mxisd.nix
@ -46,6 +46,15 @@ in {
        description = "The mxisd/ma1sd package to use";
      };

+      environmentFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          Path to an environment-file which may contain secrets to be
+          substituted via <package>envsubst</package>.
+        '';
+      };
+
      dataDir = mkOption {
        type = types.str;
        default = "/var/lib/mxisd";
@ -118,7 +127,12 @@ in {
        Type = "simple";
        User = "mxisd";
        Group = "mxisd";
-        ExecStart = "${cfg.package}/bin/${executable} -c ${configFile}";
+        EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
+        ExecStart = "${cfg.package}/bin/${executable} -c ${cfg.dataDir}/mxisd-config.yaml";
+        ExecStartPre = "${pkgs.writeShellScript "mxisd-substitute-secrets" ''
+          ${pkgs.envsubst}/bin/envsubst -o ${cfg.dataDir}/mxisd-config.yaml \
+            -i ${configFile}
+        ''}";
        WorkingDirectory = cfg.dataDir;
        Restart = "on-failure";
      };