commit 669939f2c12b2fd2e860c34f659c93edf7a2ba4d (tree)
parent 5c701b6878b5050d802756e19d3adcc1d31b0507
Author: Motiejus Jakštys <motiejus@jakstys.lt>
Date: Tue, 16 Jan 2024 22:48:36 +0200
secrets are no longer stubs
Diffstat:
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/modules/e11sync/default.nix b/modules/e11sync/default.nix
@@ -5,13 +5,17 @@ e11sync-backend: {
}: {
options.e11sync = with lib.types; {
enable = lib.mkEnableOption "Enable e11sync";
- secretKeyPath = lib.mkOption {type = path;};
+ secretKeyPath = lib.mkOption {type = oneOf [path (enum ["unsafe"])];};
+ secretKeyUnsafe = lib.mkOption {
+ type = bool;
+ default = false;
+ };
migrateOnStart = lib.mkOption {
type = bool;
default = false;
};
backendPort = lib.mkOption {
- type = int;
+ type = port;
default = 8002;
};
};
@@ -31,10 +35,13 @@ e11sync-backend: {
systemd.services = {
e11sync-backend = {
description = "e11sync backend";
- environment = {
- TZ = "UTC";
- E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key";
- };
+ environment = lib.mkMerge [
+ {TZ = "UTC";}
+ (lib.mkIf (cfg.secretKeyPath != "unsafe")
+ {
+ E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key";
+ })
+ ];
wantedBy = ["multi-user.target"];
serviceConfig = lib.mkMerge [
{
@@ -44,7 +51,6 @@ e11sync-backend: {
RuntimeDirectory = "e11sync";
StateDirectory = "e11sync";
WorkingDirectory = "/var/lib/e11sync";
- LoadCredential = "secret_key:${cfg.secretKeyPath}";
ExecStart = "${pkg-backend}/bin/e11sync-backend";
DynamicUser = true;
@@ -56,6 +62,9 @@ e11sync-backend: {
(lib.mkIf cfg.migrateOnStart {
ExecStartPre = "${pkg-backend}/bin/e11sync migrate";
})
+ (lib.mkIf (cfg.secretKeyPath != "unsafe") {
+ LoadCredential = "secret_key:${cfg.secretKeyPath}";
+ })
];
};
};
diff --git a/vm.nix b/vm.nix
@@ -1,8 +1,8 @@
{pkgs, ...}: {
e11sync = {
enable = true;
- secretKeyPath = "/etc/super";
migrateOnStart = true;
+ secretKeyPath = "unsafe";
};
environment.systemPackages = with pkgs; [
