diff options
author | linj <linj.dev@outlook.com> | 2022-03-15 01:10:55 +0800 |
---|---|---|
committer | Robert Schütz <github@dotlambda.de> | 2022-05-29 13:34:14 -0700 |
commit | 37792e5766ced355c8c93140a108950300b67fe1 (patch) | |
tree | e3e21cc71869bfdbf5eff5873823d9942da926c0 | |
parent | be9bafbf64f2618354ce03fede23da7499ba39c4 (diff) | |
download | nixpkgs-37792e5766ced355c8c93140a108950300b67fe1.tar nixpkgs-37792e5766ced355c8c93140a108950300b67fe1.tar.gz nixpkgs-37792e5766ced355c8c93140a108950300b67fe1.tar.bz2 nixpkgs-37792e5766ced355c8c93140a108950300b67fe1.tar.lz nixpkgs-37792e5766ced355c8c93140a108950300b67fe1.tar.xz nixpkgs-37792e5766ced355c8c93140a108950300b67fe1.tar.zst nixpkgs-37792e5766ced355c8c93140a108950300b67fe1.zip |
nixos/dendrite: add an option loadCredential
systemd-247 provides a mechanism called LoadCredential for secrets and it is better than environment file. See the section of Environment= in the manual of systemd.exec for more information. Some options in config.yaml need values to be strings, which currently can be used with environmentFile but not loadCredential. But it's possible to use loadCredential for those options, e.g. we can substitute their values in ExecStart, but not in ExecStartPre due to [1]. [1]: https://github.com/systemd/systemd/issues/19604
-rw-r--r-- | nixos/modules/services/misc/dendrite.nix | 19 | ||||
-rw-r--r-- | nixos/tests/dendrite.nix | 3 |
2 files changed, 19 insertions, 3 deletions
diff --git a/nixos/modules/services/misc/dendrite.nix b/nixos/modules/services/misc/dendrite.nix index ac5df9951b3..54052084b33 100644 --- a/nixos/modules/services/misc/dendrite.nix +++ b/nixos/modules/services/misc/dendrite.nix @@ -74,6 +74,18 @@ in <literal>dendrite</literal> is running. ''; }; + loadCredential = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + example = [ "private_key:/path/to/my_private_key" ]; + description = '' + This can be used to pass secrets to the systemd service without adding them to + the nix store. + To use the example setting, see the example of + <option>services.dendrite.settings.global.private_key</option>. + See the LoadCredential section of systemd.exec manual for more information. + ''; + }; settings = lib.mkOption { type = lib.types.submodule { freeformType = settingsFormat.type; @@ -88,8 +100,10 @@ in ''; }; private_key = lib.mkOption { - type = lib.types.path; - example = "${workingDir}/matrix_key.pem"; + type = lib.types.either + lib.types.path + (lib.types.strMatching "^\\$CREDENTIALS_DIRECTORY/.+"); + example = "$CREDENTIALS_DIRECTORY/private_key"; description = '' The path to the signing private key file, used to sign requests and events. @@ -256,6 +270,7 @@ in RuntimeDirectoryMode = "0700"; LimitNOFILE = 65535; EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; + LoadCredential = cfg.loadCredential; ExecStartPre = '' ${pkgs.envsubst}/bin/envsubst \ -i ${configurationYaml} \ diff --git a/nixos/tests/dendrite.nix b/nixos/tests/dendrite.nix index d4a5bb13226..1ff415433b4 100644 --- a/nixos/tests/dendrite.nix +++ b/nixos/tests/dendrite.nix @@ -17,10 +17,11 @@ import ./make-test-python.nix ( homeserver = { pkgs, ... }: { services.dendrite = { enable = true; + loadCredential = [ "test_private_key:${private_key}" ]; openRegistration = true; settings = { global.server_name = "test-dendrite-server.com"; - global.private_key = private_key; + global.private_key = "$CREDENTIALS_DIRECTORY/test_private_key"; client_api.registration_disabled = false; }; }; |