secrets are no longer stubs
This commit is contained in:
parent
5c701b6878
commit
669939f2c1
|
|
@ -5,13 +5,17 @@ e11sync-backend: {
|
|||
}: {
|
||||
options.e11sync = with lib.types; {
|
||||
enable = lib.mkEnableOption "Enable e11sync";
|
||||
secretKeyPath = lib.mkOption {type = path;};
|
||||
secretKeyPath = lib.mkOption {type = oneOf [path (enum ["unsafe"])];};
|
||||
secretKeyUnsafe = lib.mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
};
|
||||
migrateOnStart = lib.mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
};
|
||||
backendPort = lib.mkOption {
|
||||
type = int;
|
||||
type = port;
|
||||
default = 8002;
|
||||
};
|
||||
};
|
||||
|
|
@ -31,10 +35,13 @@ e11sync-backend: {
|
|||
systemd.services = {
|
||||
e11sync-backend = {
|
||||
description = "e11sync backend";
|
||||
environment = {
|
||||
TZ = "UTC";
|
||||
E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key";
|
||||
};
|
||||
environment = lib.mkMerge [
|
||||
{TZ = "UTC";}
|
||||
(lib.mkIf (cfg.secretKeyPath != "unsafe")
|
||||
{
|
||||
E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key";
|
||||
})
|
||||
];
|
||||
wantedBy = ["multi-user.target"];
|
||||
serviceConfig = lib.mkMerge [
|
||||
{
|
||||
|
|
@ -44,7 +51,6 @@ e11sync-backend: {
|
|||
RuntimeDirectory = "e11sync";
|
||||
StateDirectory = "e11sync";
|
||||
WorkingDirectory = "/var/lib/e11sync";
|
||||
LoadCredential = "secret_key:${cfg.secretKeyPath}";
|
||||
ExecStart = "${pkg-backend}/bin/e11sync-backend";
|
||||
|
||||
DynamicUser = true;
|
||||
|
|
@ -56,6 +62,9 @@ e11sync-backend: {
|
|||
(lib.mkIf cfg.migrateOnStart {
|
||||
ExecStartPre = "${pkg-backend}/bin/e11sync migrate";
|
||||
})
|
||||
(lib.mkIf (cfg.secretKeyPath != "unsafe") {
|
||||
LoadCredential = "secret_key:${cfg.secretKeyPath}";
|
||||
})
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in New Issue