fix passing secret file as config
This commit is contained in:
parent
e658def798
commit
805e5be3b1
1 changed files with 9 additions and 8 deletions
17
module.nix
17
module.nix
|
|
@ -57,12 +57,16 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
secretFile = lib.mkOption {
|
secretFile = lib.mkOption {
|
||||||
type = with lib.types; listOf path;
|
type = lib.types.nullOr (lib.types.pathWith {
|
||||||
|
inStore = false;
|
||||||
|
absolute = true;
|
||||||
|
});
|
||||||
|
default = null;
|
||||||
|
example = "/run/keys/mail-quota-warning-secrets";
|
||||||
description = ''
|
description = ''
|
||||||
A list of files containing the various secrets. Should be in the
|
A YAML file containing secrets, see example config file
|
||||||
format expected by systemd's `EnvironmentFile` directory.
|
in the repository.
|
||||||
'';
|
'';
|
||||||
default = [ ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
interval = lib.mkOption {
|
interval = lib.mkOption {
|
||||||
|
|
@ -91,7 +95,7 @@ in
|
||||||
// lib.mapAttrs (_: v: toString v) cfg.settings;
|
// lib.mapAttrs (_: v: toString v) cfg.settings;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "simple";
|
Type = "simple";
|
||||||
ExecStart = lib.getExe pkgs.mail-quota-warning;
|
ExecStart = "${lib.getExe pkgs.mail-quota-warning}${lib.optionalString (cfg.secretFile != null) " --config ${cfg.secretFile}"}";
|
||||||
|
|
||||||
# hardening
|
# hardening
|
||||||
AmbientCapabilities = "";
|
AmbientCapabilities = "";
|
||||||
|
|
@ -128,9 +132,6 @@ in
|
||||||
"~@privileged"
|
"~@privileged"
|
||||||
];
|
];
|
||||||
UMask = "0077";
|
UMask = "0077";
|
||||||
}
|
|
||||||
// lib.optionalAttrs (cfg.secretFile != [ ]) {
|
|
||||||
EnvironmentFile = cfg.secretFile;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue