diff options
author | netali <me@netali.de> | 2022-12-26 02:01:03 +0100 |
---|---|---|
committer | netali <me@netali.de> | 2022-12-26 02:12:31 +0100 |
commit | 64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c (patch) | |
tree | e72c5e2ca0879d923856b4469ec67ad9adaa1be4 | |
parent | 00a40e2cf4688e90045994ca23e78ca10c7bbfea (diff) | |
download | nixpkgs-64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c.tar nixpkgs-64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c.tar.gz nixpkgs-64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c.tar.bz2 nixpkgs-64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c.tar.lz nixpkgs-64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c.tar.xz nixpkgs-64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c.tar.zst nixpkgs-64a957a7d1c3e7d1d0efbaa71d52eecb9e2e6f1c.zip |
nixos/powerdns: add secretFile option
-rw-r--r-- | nixos/modules/services/networking/powerdns.nix | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/powerdns.nix b/nixos/modules/services/networking/powerdns.nix index 6aa5928d637..850a128cf1a 100644 --- a/nixos/modules/services/networking/powerdns.nix +++ b/nixos/modules/services/networking/powerdns.nix @@ -5,6 +5,7 @@ with lib; let cfg = config.services.powerdns; configDir = pkgs.writeTextDir "pdns.conf" "${cfg.extraConfig}"; + finalConfigDir = if cfg.secretFile == null then configDir else "/run/pdns"; in { options = { services.powerdns = { @@ -19,6 +20,19 @@ in { for details on supported values. ''; }; + + secretFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/powerdns.env"; + description = lib.mdDoc '' + Environment variables from this file will be interpolated into the + final config file using envsubst with this syntax: `$ENVIRONMENT` + or `''${VARIABLE}`. + The file should contain lines formatted as `SECRET_VAR=SECRET_VALUE`. + This is useful to avoid putting secrets into the nix store. + ''; + }; }; }; @@ -31,7 +45,13 @@ in { after = [ "network.target" "mysql.service" "postgresql.service" "openldap.service" ]; serviceConfig = { - ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=${configDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ]; + EnvironmentFile = lib.optional (cfg.secretFile != null) cfg.secretFile; + ExecStartPre = lib.optional (cfg.secretFile != null) + (pkgs.writeShellScript "pdns-pre-start" '' + umask 077 + ${pkgs.envsubst}/bin/envsubst -i "${configDir}/pdns.conf" > ${finalConfigDir}/pdns.conf + ''); + ExecStart = [ "" "${pkgs.pdns}/bin/pdns_server --config-dir=${finalConfigDir} --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no" ]; }; }; |