From 669939f2c12b2fd2e860c34f659c93edf7a2ba4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Tue, 16 Jan 2024 22:48:36 +0200 Subject: [PATCH] secrets are no longer stubs --- modules/e11sync/default.nix | 23 ++++++++++++++++------- vm.nix | 2 +- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/modules/e11sync/default.nix b/modules/e11sync/default.nix index 24dcebb..428567f 100644 --- a/modules/e11sync/default.nix +++ b/modules/e11sync/default.nix @@ -5,13 +5,17 @@ e11sync-backend: { }: { options.e11sync = with lib.types; { enable = lib.mkEnableOption "Enable e11sync"; - secretKeyPath = lib.mkOption {type = path;}; + secretKeyPath = lib.mkOption {type = oneOf [path (enum ["unsafe"])];}; + secretKeyUnsafe = lib.mkOption { + type = bool; + default = false; + }; migrateOnStart = lib.mkOption { type = bool; default = false; }; backendPort = lib.mkOption { - type = int; + type = port; default = 8002; }; }; @@ -31,10 +35,13 @@ e11sync-backend: { systemd.services = { e11sync-backend = { description = "e11sync backend"; - environment = { - TZ = "UTC"; - E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key"; - }; + environment = lib.mkMerge [ + {TZ = "UTC";} + (lib.mkIf (cfg.secretKeyPath != "unsafe") + { + E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key"; + }) + ]; wantedBy = ["multi-user.target"]; serviceConfig = lib.mkMerge [ { @@ -44,7 +51,6 @@ e11sync-backend: { RuntimeDirectory = "e11sync"; StateDirectory = "e11sync"; WorkingDirectory = "/var/lib/e11sync"; - LoadCredential = "secret_key:${cfg.secretKeyPath}"; ExecStart = "${pkg-backend}/bin/e11sync-backend"; DynamicUser = true; @@ -56,6 +62,9 @@ e11sync-backend: { (lib.mkIf cfg.migrateOnStart { ExecStartPre = "${pkg-backend}/bin/e11sync migrate"; }) + (lib.mkIf (cfg.secretKeyPath != "unsafe") { + LoadCredential = "secret_key:${cfg.secretKeyPath}"; + }) ]; }; }; diff --git a/vm.nix b/vm.nix index 77c97be..3262701 100644 --- a/vm.nix +++ b/vm.nix @@ -1,8 +1,8 @@ {pkgs, ...}: { e11sync = { enable = true; - secretKeyPath = "/etc/super"; migrateOnStart = true; + secretKeyPath = "unsafe"; }; environment.systemPackages = with pkgs; [