diff options
| author | Eric Wolf <robo-eric@gmx.de> | 2023-06-24 19:39:01 +0200 |
|---|---|---|
| committer | Yt <happysalada@tuta.io> | 2023-07-03 09:12:40 +0800 |
| commit | ee5cc38432031b66e7fe395b14235eeb4b2b0d6e (patch) | |
| tree | e3737d370c326d66ecc098bacba3723e851f1ba2 /nixos/modules/services/web-apps/lemmy.nix | |
| parent | b5eafe654a8912ce30f25272facc62c6a40d2a1b (diff) | |
| download | nixlib-ee5cc38432031b66e7fe395b14235eeb4b2b0d6e.tar nixlib-ee5cc38432031b66e7fe395b14235eeb4b2b0d6e.tar.gz nixlib-ee5cc38432031b66e7fe395b14235eeb4b2b0d6e.tar.bz2 nixlib-ee5cc38432031b66e7fe395b14235eeb4b2b0d6e.tar.lz nixlib-ee5cc38432031b66e7fe395b14235eeb4b2b0d6e.tar.xz nixlib-ee5cc38432031b66e7fe395b14235eeb4b2b0d6e.tar.zst nixlib-ee5cc38432031b66e7fe395b14235eeb4b2b0d6e.zip | |
lemmy: Support secret options
This commit implements #101777 by merging the config with an external file at startup.
Diffstat (limited to 'nixos/modules/services/web-apps/lemmy.nix')
| -rw-r--r-- | nixos/modules/services/web-apps/lemmy.nix | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/nixos/modules/services/web-apps/lemmy.nix b/nixos/modules/services/web-apps/lemmy.nix index dd335302fa47..afbd74976109 100644 --- a/nixos/modules/services/web-apps/lemmy.nix +++ b/nixos/modules/services/web-apps/lemmy.nix @@ -77,6 +77,11 @@ in }; }; + secretFile = mkOption { + type = with types; nullOr path; + default = null; + description = lib.mdDoc "Path to a secret JSON configuration file which is merged at runtime with the one generated from {option}`services.lemmy.settings`."; + }; }; config = @@ -197,11 +202,14 @@ in } ]; - systemd.services.lemmy = { + systemd.services.lemmy = let + configFile = settingsFormat.generate "config.hjson" cfg.settings; + mergedConfig = "/run/lemmy/config.hjson"; + in { description = "Lemmy server"; environment = { - LEMMY_CONFIG_LOCATION = "${settingsFormat.generate "config.hjson" cfg.settings}"; + LEMMY_CONFIG_LOCATION = if cfg.secretFile == null then configFile else mergedConfig; LEMMY_DATABASE_URL = if cfg.database.uri != null then cfg.database.uri else (mkIf (cfg.database.createLocally) "postgres:///lemmy?host=/run/postgresql&user=lemmy"); }; @@ -216,10 +224,24 @@ in requires = lib.optionals cfg.database.createLocally [ "postgresql.service" ]; + path = mkIf (cfg.secretFile != null) [ pkgs.jq ]; + + # merge the two configs and prevent others from reading the result + # if somehow $CREDENTIALS_DIRECTORY is not set we fail + preStart = mkIf (cfg.secretFile != null) '' + set -u + umask 177 + jq --slurp '.[0] * .[1]' ${lib.escapeShellArg configFile} "$CREDENTIALS_DIRECTORY/secretFile" > ${lib.escapeShellArg mergedConfig} + ''; + serviceConfig = { DynamicUser = true; RuntimeDirectory = "lemmy"; ExecStart = "${cfg.server.package}/bin/lemmy_server"; + LoadCredential = mkIf (cfg.secretFile != null) "secretFile:${toString cfg.secretFile}"; + PrivateTmp = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; }; }; |