1 files changed, 57 insertions, 32 deletions
diff --git a/nixos/modules/services/networking/resilio.nix b/nixos/modules/services/networking/resilio.nix
index 89127850641..cc9495bf238 100644
--- a/nixos/modules/services/networking/resilio.nix
+++ b/nixos/modules/services/networking/resilio.nix
@@ -8,7 +8,6 @@ let
   resilioSync = pkgs.resilio-sync;
 
   sharedFoldersRecord = map (entry: {
-    secret = entry.secret;
     dir = entry.directory;
 
     use_relay_server = entry.useRelayServer;
@@ -40,6 +39,31 @@ let
     shared_folders = sharedFoldersRecord;
   }));
 
+  sharedFoldersSecretFiles = map (entry: {
+    dir = entry.directory;
+    secretFile = if builtins.hasAttr "secret" entry then
+      toString (pkgs.writeTextFile {
+        name = "secret-file";
+        text = entry.secret;
+      })
+    else
+      entry.secretFile;
+  }) cfg.sharedFolders;
+
+  runConfigPath = "/run/rslsync/config.json";
+
+  createConfig = pkgs.writeShellScriptBin "create-resilio-config" ''
+    ${pkgs.jq}/bin/jq \
+      '.shared_folders |= map(.secret = $ARGS.named[.dir])' \
+      ${
+        lib.concatMapStringsSep " \\\n  "
+        (entry: ''--arg '${entry.dir}' "$(cat '${entry.secretFile}')"'')
+        sharedFoldersSecretFiles
+      } \
+      <${configFile} \
+      >${runConfigPath}
+  '';
+
 in
 {
   options = {
@@ -47,7 +71,7 @@ in
       enable = mkOption {
         type = types.bool;
         default = false;
-        description = ''
+        description = lib.mdDoc ''
           If enabled, start the Resilio Sync daemon. Once enabled, you can
           interact with the service through the Web UI, or configure it in your
           NixOS configuration.
@@ -59,7 +83,7 @@ in
         example = "Voltron";
         default = config.networking.hostName;
         defaultText = literalExpression "config.networking.hostName";
-        description = ''
+        description = lib.mdDoc ''
           Name of the Resilio Sync device.
         '';
       };
@@ -68,7 +92,7 @@ in
         type = types.int;
         default = 0;
         example = 44444;
-        description = ''
+        description = lib.mdDoc ''
           Listening port. Defaults to 0 which randomizes the port.
         '';
       };
@@ -76,7 +100,7 @@ in
       checkForUpdates = mkOption {
         type = types.bool;
         default = true;
-        description = ''
+        description = lib.mdDoc ''
           Determines whether to check for updates and alert the user
           about them in the UI.
         '';
@@ -85,7 +109,7 @@ in
       useUpnp = mkOption {
         type = types.bool;
         default = true;
-        description = ''
+        description = lib.mdDoc ''
           Use Universal Plug-n-Play (UPnP)
         '';
       };
@@ -94,7 +118,7 @@ in
         type = types.int;
         default = 0;
         example = 1024;
-        description = ''
+        description = lib.mdDoc ''
           Download speed limit. 0 is unlimited (default).
         '';
       };
@@ -103,7 +127,7 @@ in
         type = types.int;
         default = 0;
         example = 1024;
-        description = ''
+        description = lib.mdDoc ''
           Upload speed limit. 0 is unlimited (default).
         '';
       };
@@ -112,7 +136,7 @@ in
         type = types.str;
         default = "[::1]";
         example = "0.0.0.0";
-        description = ''
+        description = lib.mdDoc ''
           HTTP address to bind to.
         '';
       };
@@ -120,7 +144,7 @@ in
       httpListenPort = mkOption {
         type = types.int;
         default = 9000;
-        description = ''
+        description = lib.mdDoc ''
           HTTP port to bind on.
         '';
       };
@@ -129,7 +153,7 @@ in
         type = types.str;
         example = "allyourbase";
         default = "";
-        description = ''
+        description = lib.mdDoc ''
           HTTP web login username.
         '';
       };
@@ -138,7 +162,7 @@ in
         type = types.str;
         example = "arebelongtous";
         default = "";
-        description = ''
+        description = lib.mdDoc ''
           HTTP web login password.
         '';
       };
@@ -146,23 +170,23 @@ in
       encryptLAN = mkOption {
         type = types.bool;
         default = true;
-        description = "Encrypt LAN data.";
+        description = lib.mdDoc "Encrypt LAN data.";
       };
 
       enableWebUI = mkOption {
         type = types.bool;
         default = false;
-        description = ''
+        description = lib.mdDoc ''
           Enable Web UI for administration. Bound to the specified
-          <literal>httpListenAddress</literal> and
-          <literal>httpListenPort</literal>.
+          `httpListenAddress` and
+          `httpListenPort`.
           '';
       };
 
       storagePath = mkOption {
         type = types.path;
         default = "/var/lib/resilio-sync/";
-        description = ''
+        description = lib.mdDoc ''
           Where BitTorrent Sync will store it's database files (containing
           things like username info and licenses). Generally, you should not
           need to ever change this.
@@ -172,21 +196,21 @@ in
       apiKey = mkOption {
         type = types.str;
         default = "";
-        description = "API key, which enables the developer API.";
+        description = lib.mdDoc "API key, which enables the developer API.";
       };
 
       directoryRoot = mkOption {
         type = types.str;
         default = "";
         example = "/media";
-        description = "Default directory to add folders in the web UI.";
+        description = lib.mdDoc "Default directory to add folders in the web UI.";
       };
 
       sharedFolders = mkOption {
         default = [];
         type = types.listOf (types.attrsOf types.anything);
         example =
-          [ { secret         = "AHMYFPCQAHBM7LQPFXQ7WV6Y42IGUXJ5Y";
+          [ { secretFile     = "/run/resilio-secret";
               directory      = "/home/user/sync_test";
               useRelayServer = true;
               useTracker     = true;
@@ -199,25 +223,22 @@ in
               ];
             }
           ];
-        description = ''
+        description = lib.mdDoc ''
           Shared folder list. If enabled, web UI must be
-          disabled. Secrets can be generated using <literal>rslsync
-          --generate-secret</literal>. Note that this secret will be
-          put inside the Nix store, so it is realistically not very
-          secret.
+          disabled. Secrets can be generated using `rslsync --generate-secret`.
 
           If you would like to be able to modify the contents of this
           directories, it is recommended that you make your user a
-          member of the <literal>rslsync</literal> group.
+          member of the `rslsync` group.
 
           Directories in this list should be in the
-          <literal>rslsync</literal> group, and that group must have
+          `rslsync` group, and that group must have
           write access to the directory. It is also recommended that
-          <literal>chmod g+s</literal> is applied to the directory
+          `chmod g+s` is applied to the directory
           so that any sub directories created will also belong to
-          the <literal>rslsync</literal> group. Also,
-          <literal>setfacl -d -m group:rslsync:rwx</literal> and
-          <literal>setfacl -m group:rslsync:rwx</literal> should also
+          the `rslsync` group. Also,
+          `setfacl -d -m group:rslsync:rwx` and
+          `setfacl -m group:rslsync:rwx` should also
           be applied so that the sub directories are writable by
           the group.
         '';
@@ -256,10 +277,14 @@ in
         Restart   = "on-abort";
         UMask     = "0002";
         User      = "rslsync";
+        RuntimeDirectory = "rslsync";
+        ExecStartPre = "${createConfig}/bin/create-resilio-config";
         ExecStart = ''
-          ${resilioSync}/bin/rslsync --nodaemon --config ${configFile}
+          ${resilioSync}/bin/rslsync --nodaemon --config ${runConfigPath}
         '';
       };
     };
   };
+
+  meta.maintainers = with maintainers; [ jwoudenberg ];
 }