nixos/garage: Add an environmentFile option

Since garage 0.8.2, garage accepts environment variables for passing secrets,
e.g. `GARAGE_RPC_SECRET` or `GARAGE_ADMIN_TOKEN`. The added `environmentFile`
allows those secrets to not be present in the nix store.

1 files changed, 8 insertions, 1 deletions

diff --git a/nixos/modules/services/web-servers/garage.nix b/nixos/modules/services/web-servers/garage.nix
index 8b5734b5a2ce..80fb24fe2c5e 100644
--- a/nixos/modules/services/web-servers/garage.nix
+++ b/nixos/modules/services/web-servers/garage.nix
@@ -23,6 +23,12 @@ in
       example = { RUST_BACKTRACE="yes"; };
     };
 
+    environmentFile = mkOption {
+      type = types.nullOr types.path;
+      description = lib.mdDoc "File containing environment variables to be passed to the Garage server.";
+      default = null;
+    };
+
     logLevel = mkOption {
       type = types.enum (["info" "debug" "trace"]);
       default = "info";
@@ -80,7 +86,7 @@ in
       after = [ "network.target" "network-online.target" ];
       wants = [ "network.target" "network-online.target" ];
       wantedBy = [ "multi-user.target" ];
-      restartTriggers = [ configFile ];
+      restartTriggers = [ configFile ] ++ (lib.optional (cfg.environmentFile != null) cfg.environmentFile);
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/garage server";
 
@@ -88,6 +94,7 @@ in
         DynamicUser = lib.mkDefault true;
         ProtectHome = true;
         NoNewPrivileges = true;
+        EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
       };
       environment = {
         RUST_LOG = lib.mkDefault "garage=${cfg.logLevel}";