1 files changed, 26 insertions, 1 deletions

diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix
index 1d2a982ac53..9e77ee85b89 100644
--- a/nixos/modules/services/audio/mpd.nix
+++ b/nixos/modules/services/audio/mpd.nix
@@ -140,6 +140,18 @@ in {
         '';
       };
 
+      credentialsFile = mkOption {
+        type = types.path;
+        description = ''
+          Path to a file to be merged with the settings during the service startup.
+          Useful to merge a file which is better kept out of the Nix store
+          because it contains sensible data like MPD's password. Example may look like this:
+          <literal>password "myMpdPassword@read,add,control,admin"</literal>
+        '';
+        default = "/dev/null";
+        example = "/var/lib/secrets/mpd.conf";
+      };
+
       fluidsynth = mkOption {
         type = types.bool;
         default = false;
@@ -181,7 +193,12 @@ in {
 
       serviceConfig = {
         User = "${cfg.user}";
-        ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon ${mpdConf}";
+        ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /etc/mpd.conf";
+        ExecStartPre = pkgs.writeScript "mpd-start-pre" ''
+          #!${pkgs.runtimeShell}
+          set -euo pipefail
+          cat ${mpdConf} ${cfg.credentialsFile} > /etc/mpd.conf
+        '';
         Type = "notify";
         LimitRTPRIO = 50;
         LimitRTTIME = "infinity";
@@ -195,6 +212,14 @@ in {
         Restart = "always";
       };
     };
+    environment.etc."mpd.conf" = {
+      mode = "0640";
+      group = cfg.group;
+      user = cfg.user;
+      # To be modified by the service' ExecStartPre
+      text = ''
+      '';
+    };
 
     users.users = optionalAttrs (cfg.user == name) {
       ${name} = {