1

secrets are no longer stubs

This commit is contained in:
Motiejus Jakštys 2024-01-16 22:48:36 +02:00
parent 5c701b6878
commit 669939f2c1
2 changed files with 17 additions and 8 deletions

View File

@ -5,13 +5,17 @@ e11sync-backend: {
}: { }: {
options.e11sync = with lib.types; { options.e11sync = with lib.types; {
enable = lib.mkEnableOption "Enable e11sync"; enable = lib.mkEnableOption "Enable e11sync";
secretKeyPath = lib.mkOption {type = path;}; secretKeyPath = lib.mkOption {type = oneOf [path (enum ["unsafe"])];};
secretKeyUnsafe = lib.mkOption {
type = bool;
default = false;
};
migrateOnStart = lib.mkOption { migrateOnStart = lib.mkOption {
type = bool; type = bool;
default = false; default = false;
}; };
backendPort = lib.mkOption { backendPort = lib.mkOption {
type = int; type = port;
default = 8002; default = 8002;
}; };
}; };
@ -31,10 +35,13 @@ e11sync-backend: {
systemd.services = { systemd.services = {
e11sync-backend = { e11sync-backend = {
description = "e11sync backend"; description = "e11sync backend";
environment = { environment = lib.mkMerge [
TZ = "UTC"; {TZ = "UTC";}
E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key"; (lib.mkIf (cfg.secretKeyPath != "unsafe")
}; {
E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key";
})
];
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
serviceConfig = lib.mkMerge [ serviceConfig = lib.mkMerge [
{ {
@ -44,7 +51,6 @@ e11sync-backend: {
RuntimeDirectory = "e11sync"; RuntimeDirectory = "e11sync";
StateDirectory = "e11sync"; StateDirectory = "e11sync";
WorkingDirectory = "/var/lib/e11sync"; WorkingDirectory = "/var/lib/e11sync";
LoadCredential = "secret_key:${cfg.secretKeyPath}";
ExecStart = "${pkg-backend}/bin/e11sync-backend"; ExecStart = "${pkg-backend}/bin/e11sync-backend";
DynamicUser = true; DynamicUser = true;
@ -56,6 +62,9 @@ e11sync-backend: {
(lib.mkIf cfg.migrateOnStart { (lib.mkIf cfg.migrateOnStart {
ExecStartPre = "${pkg-backend}/bin/e11sync migrate"; ExecStartPre = "${pkg-backend}/bin/e11sync migrate";
}) })
(lib.mkIf (cfg.secretKeyPath != "unsafe") {
LoadCredential = "secret_key:${cfg.secretKeyPath}";
})
]; ];
}; };
}; };

2
vm.nix
View File

@ -1,8 +1,8 @@
{pkgs, ...}: { {pkgs, ...}: {
e11sync = { e11sync = {
enable = true; enable = true;
secretKeyPath = "/etc/super";
migrateOnStart = true; migrateOnStart = true;
secretKeyPath = "unsafe";
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [