refactor(nixos): use LoadCredential to pass secrets to service

This allows one to restrict permissions on the files even more as only
systemd needs to be able to read them.

1 files changed, 15 insertions, 11 deletions

diff --git a/nixos/flipdot-gschichtler.nix b/nixos/flipdot-gschichtler.nix
index a3b94dd..8d3502d 100644
--- a/nixos/flipdot-gschichtler.nix
+++ b/nixos/flipdot-gschichtler.nix
@@ -72,21 +72,25 @@ in {
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
 
-      environment = {
-        WARTERAUM_SALT_FILE = cfg.saltFile;
-        WARTERAUM_TOKENS_FILE = cfg.tokensFile;
-      };
-
       serviceConfig = {
         Type = "simple";
-        ExecStart = "${cfg.packages.warteraum}/bin/warteraum";
 
-        # make only /nix/store and the salt and token file accessible
+        ExecStart = lib.concatStringsSep " " [
+          # See https://github.com/systemd/systemd/issues/22549
+          "${pkgs.coreutils}/bin/env"
+          "WARTERAUM_SALT_FILE=\${CREDENTIALS_DIRECTORY}/salt"
+          "WARTERAUM_TOKENS_FILE=\${CREDENTIALS_DIRECTORY}/tokens"
+          "${cfg.packages.warteraum}/bin/warteraum"
+        ];
+
+        LoadCredential = [
+          "salt:${cfg.saltFile}"
+          "tokens:${cfg.tokensFile}"
+        ];
+
+        # make sure only /nix/store is accessible
         TemporaryFileSystem = "/:ro";
-        BindReadOnlyPaths = "/nix/store " + (lib.concatStringsSep " " [
-          cfg.saltFile
-          cfg.tokensFile
-        ]);
+        BindReadOnlyPaths = "/nix/store";
         # TemporaryFileSystem doesn't work with DynamicUser
         User = userGroupName;
         Group = userGroupName;