nixos/mxisd: allow passing secrets

Suppose you want to provide a LDAP-based directory search to your homeserver via a service-user with a bind-password. To make sure that this doesn't end up in the Nix store, it's now possible to set a substitute for the bindPassword like services.mxisd.extraConfig.ldap.connection = { # host, bindDn etc. bindPassword = "$LDAP_BIND_PW"; }; and write the actual secret into an environment file that's readable for `mxisd.service` containing LDAP_BIND_PW=<your secret bind pw> and the following setting in the Nix expression: services.mxisd.environmentFile = "/runs/ecrets/mxisd"; (cherry picked from commit aa25ce7aa1a89618e4257fd46c7d20879f54c728)
2022-07-13 19:03:50 +02:00 · 2022-07-13 19:03:50 +02:00 · d54d70f166
commit d54d70f166
parent b0c5f3dd4c
1 changed files with 15 additions and 1 deletions
--- a/nixos/modules/services/networking/mxisd.nix
+++ b/nixos/modules/services/networking/mxisd.nix
@ -46,6 +46,15 @@ in {
        description = "The mxisd/ma1sd package to use";
      };

+      environmentFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          Path to an environment-file which may contain secrets to be
+          substituted via <package>envsubst</package>.
+        '';
+      };
+
      dataDir = mkOption {
        type = types.str;
        default = "/var/lib/mxisd";
@ -118,7 +127,12 @@ in {
        Type = "simple";
        User = "mxisd";
        Group = "mxisd";
-        ExecStart = "${cfg.package}/bin/${executable} -c ${configFile}";
+        EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
+        ExecStart = "${cfg.package}/bin/${executable} -c ${cfg.dataDir}/mxisd-config.yaml";
+        ExecStartPre = "${pkgs.writeShellScript "mxisd-substitute-secrets" ''
+          ${pkgs.envsubst}/bin/envsubst -o ${cfg.dataDir}/mxisd-config.yaml \
+            -i ${configFile}
+        ''}";
        WorkingDirectory = cfg.dataDir;
        Restart = "on-failure";
      };