diff --git a/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix b/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix
index 1ece73a1159..dd3bec8ec16 100644
--- a/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/postgres.nix
@@ -30,12 +30,49 @@ in
Whether to run the exporter as the local 'postgres' super user.
'';
};
+
+ # TODO perhaps LoadCredential would be more appropriate
+ environmentFile = mkOption {
+ type = types.nullOr types.path;
+ default = null;
+ example = "/root/prometheus-postgres-exporter.env";
+ description = ''
+ Environment file as defined in
+ systemd.exec5
+ .
+
+ Secrets may be passed to the service without adding them to the
+ world-readable Nix store, by specifying placeholder variables as
+ the option value in Nix and setting these variables accordingly in the
+ environment file.
+
+ Environment variables from this file will be interpolated into the
+ config file using envsubst with this syntax:
+ $ENVIRONMENT ''${VARIABLE}
+
+ The main use is to set the DATA_SOURCE_NAME that contains the
+ postgres password
+
+ note that contents from this file will override dataSourceName
+ if you have set it from nix.
+
+
+ # Content of the environment file
+ DATA_SOURCE_NAME=postgresql://username:password@localhost:5432/postgres?sslmode=disable
+
+
+ Note that this file needs to be available on the host on which
+ this exporter is running.
+ '';
+ };
+
};
serviceOpts = {
environment.DATA_SOURCE_NAME = cfg.dataSourceName;
serviceConfig = {
DynamicUser = false;
User = mkIf cfg.runAsLocalSuperUser (mkForce "postgres");
+ EnvironmentFile = mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
ExecStart = ''
${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \
--web.listen-address ${cfg.listenAddress}:${toString cfg.port} \