From 669939f2c12b2fd2e860c34f659c93edf7a2ba4d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= <motiejus@jakstys.lt>
Date: Tue, 16 Jan 2024 22:48:36 +0200
Subject: [PATCH] secrets are no longer stubs

---
 modules/e11sync/default.nix | 23 ++++++++++++++++-------
 vm.nix                      |  2 +-
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/modules/e11sync/default.nix b/modules/e11sync/default.nix
index 24dcebb..428567f 100644
--- a/modules/e11sync/default.nix
+++ b/modules/e11sync/default.nix
@@ -5,13 +5,17 @@ e11sync-backend: {
 }: {
   options.e11sync = with lib.types; {
     enable = lib.mkEnableOption "Enable e11sync";
-    secretKeyPath = lib.mkOption {type = path;};
+    secretKeyPath = lib.mkOption {type = oneOf [path (enum ["unsafe"])];};
+    secretKeyUnsafe = lib.mkOption {
+      type = bool;
+      default = false;
+    };
     migrateOnStart = lib.mkOption {
       type = bool;
       default = false;
     };
     backendPort = lib.mkOption {
-      type = int;
+      type = port;
       default = 8002;
     };
   };
@@ -31,10 +35,13 @@ e11sync-backend: {
       systemd.services = {
         e11sync-backend = {
           description = "e11sync backend";
-          environment = {
-            TZ = "UTC";
-            E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key";
-          };
+          environment = lib.mkMerge [
+            {TZ = "UTC";}
+            (lib.mkIf (cfg.secretKeyPath != "unsafe")
+              {
+                E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key";
+              })
+          ];
           wantedBy = ["multi-user.target"];
           serviceConfig = lib.mkMerge [
             {
@@ -44,7 +51,6 @@ e11sync-backend: {
               RuntimeDirectory = "e11sync";
               StateDirectory = "e11sync";
               WorkingDirectory = "/var/lib/e11sync";
-              LoadCredential = "secret_key:${cfg.secretKeyPath}";
               ExecStart = "${pkg-backend}/bin/e11sync-backend";
 
               DynamicUser = true;
@@ -56,6 +62,9 @@ e11sync-backend: {
             (lib.mkIf cfg.migrateOnStart {
               ExecStartPre = "${pkg-backend}/bin/e11sync migrate";
             })
+            (lib.mkIf (cfg.secretKeyPath != "unsafe") {
+              LoadCredential = "secret_key:${cfg.secretKeyPath}";
+            })
           ];
         };
       };
diff --git a/vm.nix b/vm.nix
index 77c97be..3262701 100644
--- a/vm.nix
+++ b/vm.nix
@@ -1,8 +1,8 @@
 {pkgs, ...}: {
   e11sync = {
     enable = true;
-    secretKeyPath = "/etc/super";
     migrateOnStart = true;
+    secretKeyPath = "unsafe";
   };
 
   environment.systemPackages = with pkgs; [