secrets are no longer stubs
This commit is contained in:
parent
5c701b6878
commit
669939f2c1
@ -5,13 +5,17 @@ e11sync-backend: {
|
|||||||
}: {
|
}: {
|
||||||
options.e11sync = with lib.types; {
|
options.e11sync = with lib.types; {
|
||||||
enable = lib.mkEnableOption "Enable e11sync";
|
enable = lib.mkEnableOption "Enable e11sync";
|
||||||
secretKeyPath = lib.mkOption {type = path;};
|
secretKeyPath = lib.mkOption {type = oneOf [path (enum ["unsafe"])];};
|
||||||
|
secretKeyUnsafe = lib.mkOption {
|
||||||
|
type = bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
migrateOnStart = lib.mkOption {
|
migrateOnStart = lib.mkOption {
|
||||||
type = bool;
|
type = bool;
|
||||||
default = false;
|
default = false;
|
||||||
};
|
};
|
||||||
backendPort = lib.mkOption {
|
backendPort = lib.mkOption {
|
||||||
type = int;
|
type = port;
|
||||||
default = 8002;
|
default = 8002;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -31,10 +35,13 @@ e11sync-backend: {
|
|||||||
systemd.services = {
|
systemd.services = {
|
||||||
e11sync-backend = {
|
e11sync-backend = {
|
||||||
description = "e11sync backend";
|
description = "e11sync backend";
|
||||||
environment = {
|
environment = lib.mkMerge [
|
||||||
TZ = "UTC";
|
{TZ = "UTC";}
|
||||||
|
(lib.mkIf (cfg.secretKeyPath != "unsafe")
|
||||||
|
{
|
||||||
E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key";
|
E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key";
|
||||||
};
|
})
|
||||||
|
];
|
||||||
wantedBy = ["multi-user.target"];
|
wantedBy = ["multi-user.target"];
|
||||||
serviceConfig = lib.mkMerge [
|
serviceConfig = lib.mkMerge [
|
||||||
{
|
{
|
||||||
@ -44,7 +51,6 @@ e11sync-backend: {
|
|||||||
RuntimeDirectory = "e11sync";
|
RuntimeDirectory = "e11sync";
|
||||||
StateDirectory = "e11sync";
|
StateDirectory = "e11sync";
|
||||||
WorkingDirectory = "/var/lib/e11sync";
|
WorkingDirectory = "/var/lib/e11sync";
|
||||||
LoadCredential = "secret_key:${cfg.secretKeyPath}";
|
|
||||||
ExecStart = "${pkg-backend}/bin/e11sync-backend";
|
ExecStart = "${pkg-backend}/bin/e11sync-backend";
|
||||||
|
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
@ -56,6 +62,9 @@ e11sync-backend: {
|
|||||||
(lib.mkIf cfg.migrateOnStart {
|
(lib.mkIf cfg.migrateOnStart {
|
||||||
ExecStartPre = "${pkg-backend}/bin/e11sync migrate";
|
ExecStartPre = "${pkg-backend}/bin/e11sync migrate";
|
||||||
})
|
})
|
||||||
|
(lib.mkIf (cfg.secretKeyPath != "unsafe") {
|
||||||
|
LoadCredential = "secret_key:${cfg.secretKeyPath}";
|
||||||
|
})
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
2
vm.nix
2
vm.nix
@ -1,8 +1,8 @@
|
|||||||
{pkgs, ...}: {
|
{pkgs, ...}: {
|
||||||
e11sync = {
|
e11sync = {
|
||||||
enable = true;
|
enable = true;
|
||||||
secretKeyPath = "/etc/super";
|
|
||||||
migrateOnStart = true;
|
migrateOnStart = true;
|
||||||
|
secretKeyPath = "unsafe";
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
Loading…
Reference in New Issue
Block a user