From 76362dd7eb2622f7809961b400f357f360de537f Mon Sep 17 00:00:00 2001 From: WilliButz Date: Mon, 7 Sep 2020 16:39:18 +0200 Subject: [PATCH] nixos/bitwarden_rs: add environmentFile option Add the option `environmentFile` to allow passing secrets to the service without adding them to the Nix store, while keeping the current configuration via the existing environment file intact. --- .../security/bitwarden_rs/default.nix | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/security/bitwarden_rs/default.nix b/nixos/modules/services/security/bitwarden_rs/default.nix index 903a5327037..a04bc883bf0 100644 --- a/nixos/modules/services/security/bitwarden_rs/default.nix +++ b/nixos/modules/services/security/bitwarden_rs/default.nix @@ -81,6 +81,23 @@ in { the environment template file. ''; }; + + environmentFile = mkOption { + type = with types; nullOr path; + default = null; + example = "/root/bitwarden_rs.env"; + description = '' + Additional environment file as defined in + systemd.exec5 + . + + Secrets like ADMIN_TOKEN and SMTP_PASSWORD + may be passed to the service without adding them to the world-readable Nix store. + + Note that this file needs to be available on the host on which + bitwarden_rs is running. + ''; + }; }; config = mkIf cfg.enable { @@ -101,7 +118,7 @@ in { serviceConfig = { User = user; Group = group; - EnvironmentFile = configFile; + EnvironmentFile = [ configFile ] ++ optional (cfg.environmentFile != null) cfg.environmentFile; ExecStart = "${bitwarden_rs}/bin/bitwarden_rs"; LimitNOFILE = "1048576"; LimitNPROC = "64";