diff --git a/modules/e11sync/default.nix b/modules/e11sync/default.nix index 24dcebb..428567f 100644 --- a/modules/e11sync/default.nix +++ b/modules/e11sync/default.nix @@ -5,13 +5,17 @@ e11sync-backend: { }: { options.e11sync = with lib.types; { enable = lib.mkEnableOption "Enable e11sync"; - secretKeyPath = lib.mkOption {type = path;}; + secretKeyPath = lib.mkOption {type = oneOf [path (enum ["unsafe"])];}; + secretKeyUnsafe = lib.mkOption { + type = bool; + default = false; + }; migrateOnStart = lib.mkOption { type = bool; default = false; }; backendPort = lib.mkOption { - type = int; + type = port; default = 8002; }; }; @@ -31,10 +35,13 @@ e11sync-backend: { systemd.services = { e11sync-backend = { description = "e11sync backend"; - environment = { - TZ = "UTC"; - E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key"; - }; + environment = lib.mkMerge [ + {TZ = "UTC";} + (lib.mkIf (cfg.secretKeyPath != "unsafe") + { + E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key"; + }) + ]; wantedBy = ["multi-user.target"]; serviceConfig = lib.mkMerge [ { @@ -44,7 +51,6 @@ e11sync-backend: { RuntimeDirectory = "e11sync"; StateDirectory = "e11sync"; WorkingDirectory = "/var/lib/e11sync"; - LoadCredential = "secret_key:${cfg.secretKeyPath}"; ExecStart = "${pkg-backend}/bin/e11sync-backend"; DynamicUser = true; @@ -56,6 +62,9 @@ e11sync-backend: { (lib.mkIf cfg.migrateOnStart { ExecStartPre = "${pkg-backend}/bin/e11sync migrate"; }) + (lib.mkIf (cfg.secretKeyPath != "unsafe") { + LoadCredential = "secret_key:${cfg.secretKeyPath}"; + }) ]; }; }; diff --git a/vm.nix b/vm.nix index 77c97be..3262701 100644 --- a/vm.nix +++ b/vm.nix @@ -1,8 +1,8 @@ {pkgs, ...}: { e11sync = { enable = true; - secretKeyPath = "/etc/super"; migrateOnStart = true; + secretKeyPath = "unsafe"; }; environment.systemPackages = with pkgs; [