diff --git a/nixos/modules/services/misc/bepasty.nix b/nixos/modules/services/misc/bepasty.nix
index 52719222db66..4d78cddcb54f 100644
--- a/nixos/modules/services/misc/bepasty.nix
+++ b/nixos/modules/services/misc/bepasty.nix
@@ -21,7 +21,7 @@ in
configure a number of bepasty servers which will be started with
gunicorn.
'';
- type = with types ; attrsOf (submodule ({
+ type = with types ; attrsOf (submodule ({ config, ... } : {
options = {
@@ -34,7 +34,6 @@ in
default = "127.0.0.1:8000";
};
-
dataDir = mkOption {
type = types.str;
description = ''
@@ -73,10 +72,28 @@ in
type = types.str;
description = ''
server secret for safe session cookies, must be set.
+
+ Warning: this secret is stored in the WORLD-READABLE Nix store!
+
+ It's recommended to use
+ which takes precedence over .
'';
default = "";
};
+ secretKeyFile = mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ description = ''
+ A file that contains the server secret for safe session cookies, must be set.
+
+ takes precedence over .
+
+ Warning: when is non-empty
+ defaults to a file in the WORLD-READABLE Nix store containing that secret.
+ '';
+ };
+
workDir = mkOption {
type = types.str;
description = ''
@@ -87,11 +104,22 @@ in
};
};
+ config = {
+ secretKeyFile = mkDefault (
+ if config.secretKey != ""
+ then toString (pkgs.writeTextFile {
+ name = "bepasty-secret-key";
+ text = config.secretKey;
+ })
+ else null
+ );
+ };
}));
};
};
config = mkIf cfg.enable {
+
environment.systemPackages = [ bepasty ];
# creates gunicorn systemd service for each configured server
@@ -115,7 +143,7 @@ in
serviceConfig = {
Type = "simple";
PrivateTmp = true;
- ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
+ ExecStartPre = assert !isNull server.secretKeyFile; pkgs.writeScript "bepasty-server.${name}-init" ''
#!/bin/sh
mkdir -p "${server.workDir}"
mkdir -p "${server.dataDir}"
@@ -123,7 +151,7 @@ in
cat > ${server.workDir}/bepasty-${name}.conf <