From bf7d05e64d1172ad9356b87bc8c2a643f600e1f0 Mon Sep 17 00:00:00 2001 From: clerie Date: Sat, 26 Jun 2021 14:10:05 +0200 Subject: [PATCH] nixos/keepalived: add secrets support --- .../networking/keepalived/default.nix | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/networking/keepalived/default.nix b/nixos/modules/services/networking/keepalived/default.nix index c9ac2ee25990..c9bfe64b1a80 100644 --- a/nixos/modules/services/networking/keepalived/default.nix +++ b/nixos/modules/services/networking/keepalived/default.nix @@ -264,6 +264,19 @@ in ''; }; + secretFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/keepalived.env"; + description = '' + Environment variables from this file will be interpolated into the + final config file using envsubst with this syntax: $ENVIRONMENT + or ''${VARIABLE}. + The file should contain lines formatted as SECRET_VAR=SECRET_VALUE. + This is useful to avoid putting secrets into the nix store. + ''; + }; + }; }; @@ -282,7 +295,9 @@ in }; }; - systemd.services.keepalived = { + systemd.services.keepalived = let + finalConfigFile = if cfg.secretFile == null then keepalivedConf else "/run/keepalived/keepalived.conf"; + in { description = "Keepalive Daemon (LVS and VRRP)"; after = [ "network.target" "network-online.target" "syslog.target" ]; wants = [ "network-online.target" ]; @@ -290,8 +305,15 @@ in Type = "forking"; PIDFile = pidFile; KillMode = "process"; + RuntimeDirectory = "keepalived"; + EnvironmentFile = lib.optional (cfg.secretFile != null) cfg.secretFile; + ExecStartPre = lib.optional (cfg.secretFile != null) + (pkgs.writeShellScript "keepalived-pre-start" '' + umask 077 + ${pkgs.envsubst}/bin/envsubst -i "${keepalivedConf}" > ${finalConfigFile} + ''); ExecStart = "${pkgs.keepalived}/sbin/keepalived" - + " -f ${keepalivedConf}" + + " -f ${finalConfigFile}" + " -p ${pidFile}" + optionalString cfg.snmp.enable " --snmp"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";