nixos/aria2: implement 'rpcSecretFile'

Since this is supposed to be a secret, use a file path as an input instead of making it part of the expression, which would expose it in the nix store.
author: Bruno BELANYI <bruno@belanyi.fr> 2023-12-23 14:39:02 +0100
committer: Bruno BELANYI <bruno@belanyi.fr> 2024-01-25 21:36:21 +0000
commit: d3a146519683c2b5a3ccdc8fe1ae2f6123664008 (patch)
tree: 1b769293cbc73b3a839fd9daca5cbc14cc0926ae /nixos
parent: 64cab3aa8d98a09aaf360b9277b2f7837c064293 (diff)
download: nixlib-d3a146519683c2b5a3ccdc8fe1ae2f6123664008.tar
nixlib-d3a146519683c2b5a3ccdc8fe1ae2f6123664008.tar.gz
nixlib-d3a146519683c2b5a3ccdc8fe1ae2f6123664008.tar.bz2
nixlib-d3a146519683c2b5a3ccdc8fe1ae2f6123664008.tar.lz
nixlib-d3a146519683c2b5a3ccdc8fe1ae2f6123664008.tar.xz
nixlib-d3a146519683c2b5a3ccdc8fe1ae2f6123664008.tar.zst
nixlib-d3a146519683c2b5a3ccdc8fe1ae2f6123664008.zip
1 files changed, 10 insertions, 5 deletions
diff --git a/nixos/modules/services/networking/aria2.nix b/nixos/modules/services/networking/aria2.nix
index e848869cc0ac..1fb55b836798 100644
--- a/nixos/modules/services/networking/aria2.nix
+++ b/nixos/modules/services/networking/aria2.nix
@@ -18,11 +18,14 @@ let
     dir=${cfg.downloadDir}
     listen-port=${concatStringsSep "," (rangesToStringList cfg.listenPortRange)}
     rpc-listen-port=${toString cfg.rpcListenPort}
-    rpc-secret=${cfg.rpcSecret}
   '';
 
 in
 {
+  imports = [
+    (mkRemovedOptionModule [ "services" "aria2" "rpcSecret" ] "Use services.aria2.rpcSecretFile instead")
+  ];
+
   options = {
     services.aria2 = {
       enable = mkOption {
@@ -65,11 +68,11 @@ in
         default = 6800;
         description = lib.mdDoc "Specify a port number for JSON-RPC/XML-RPC server to listen to. Possible Values: 1024-65535";
       };
-      rpcSecret = mkOption {
-        type = types.str;
-        default = "aria2rpc";
+      rpcSecretFile = mkOption {
+        type = types.path;
+        example = "/run/secrets/aria2-rpc-token.txt";
         description = lib.mdDoc ''
-          Set RPC secret authorization token.
+          A file containing the RPC secret authorization token.
           Read https://aria2.github.io/manual/en/html/aria2c.html#rpc-auth to know how this option value is used.
         '';
       };
@@ -117,6 +120,7 @@ in
           touch "${sessionFile}"
         fi
         cp -f "${settingsFile}" "${settingsDir}/aria2.conf"
+        echo "rpc-secret=$(cat "$CREDENTIALS_DIRECTORY/rpcSecretFile")" >> "${settingsDir}/aria2.conf"
       '';
 
       serviceConfig = {
@@ -125,6 +129,7 @@ in
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
         User = "aria2";
         Group = "aria2";
+        LoadCredential="rpcSecretFile:${cfg.rpcSecretFile}";
       };
     };
   };
author	Bruno BELANYI <bruno@belanyi.fr>	2023-12-23 14:39:02 +0100
committer	Bruno BELANYI <bruno@belanyi.fr>	2024-01-25 21:36:21 +0000
commit	d3a146519683c2b5a3ccdc8fe1ae2f6123664008 (patch)
tree	1b769293cbc73b3a839fd9daca5cbc14cc0926ae /nixos
parent	64cab3aa8d98a09aaf360b9277b2f7837c064293 (diff)
download	nixlib-d3a146519683c2b5a3ccdc8fe1ae2f6123664008.tar nixlib-d3a146519683c2b5a3ccdc8fe1ae2f6123664008.tar.gz nixlib-d3a146519683c2b5a3ccdc8fe1ae2f6123664008.tar.bz2 nixlib-d3a146519683c2b5a3ccdc8fe1ae2f6123664008.tar.lz nixlib-d3a146519683c2b5a3ccdc8fe1ae2f6123664008.tar.xz nixlib-d3a146519683c2b5a3ccdc8fe1ae2f6123664008.tar.zst nixlib-d3a146519683c2b5a3ccdc8fe1ae2f6123664008.zip