diff options
author | sternenseemann <sternenseemann@systemli.org> | 2022-02-21 14:39:16 +0100 |
---|---|---|
committer | sternenseemann <sternenseemann@systemli.org> | 2022-02-21 14:48:24 +0100 |
commit | 7bf79fd1c1e416e2cbae19f898b03b60e0d1eba4 (patch) | |
tree | 298191bfd242c33ffb7c05cf981e30ed7bed54fb | |
parent | f0fbd422fe1524385137d075562fb81159787952 (diff) |
refactor(nixos): use LoadCredential to pass secrets to service
This allows one to restrict permissions on the files even more as only systemd needs to be able to read them.
-rw-r--r-- | nixos/flipdot-gschichtler.nix | 26 |
1 files changed, 15 insertions, 11 deletions
diff --git a/nixos/flipdot-gschichtler.nix b/nixos/flipdot-gschichtler.nix index a3b94dd..8d3502d 100644 --- a/nixos/flipdot-gschichtler.nix +++ b/nixos/flipdot-gschichtler.nix @@ -72,21 +72,25 @@ in { after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - environment = { - WARTERAUM_SALT_FILE = cfg.saltFile; - WARTERAUM_TOKENS_FILE = cfg.tokensFile; - }; - serviceConfig = { Type = "simple"; - ExecStart = "${cfg.packages.warteraum}/bin/warteraum"; - # make only /nix/store and the salt and token file accessible + ExecStart = lib.concatStringsSep " " [ + # See https://github.com/systemd/systemd/issues/22549 + "${pkgs.coreutils}/bin/env" + "WARTERAUM_SALT_FILE=\${CREDENTIALS_DIRECTORY}/salt" + "WARTERAUM_TOKENS_FILE=\${CREDENTIALS_DIRECTORY}/tokens" + "${cfg.packages.warteraum}/bin/warteraum" + ]; + + LoadCredential = [ + "salt:${cfg.saltFile}" + "tokens:${cfg.tokensFile}" + ]; + + # make sure only /nix/store is accessible TemporaryFileSystem = "/:ro"; - BindReadOnlyPaths = "/nix/store " + (lib.concatStringsSep " " [ - cfg.saltFile - cfg.tokensFile - ]); + BindReadOnlyPaths = "/nix/store"; # TemporaryFileSystem doesn't work with DynamicUser User = userGroupName; Group = userGroupName; |