nixos/castopod: use LoadCredentials

author: sinavir <sinavir@sinavir.fr> 2024-02-23 22:27:24 +0100
committer: Weijia Wang <9713184+wegank@users.noreply.github.com> 2024-04-01 19:16:30 +0200
commit: 1bd3ab39c4f6af7a0f73c303873c678066d24f17 (patch)
tree: 14e7dbe1516d903aa0c6d172256a94730823b44b /nixos/modules/services/web-apps/castopod.nix
parent: 8d3698e8f307890354e4321ee4adb64c8b660993 (diff)
1 files changed, 10 insertions, 2 deletions
diff --git a/nixos/modules/services/web-apps/castopod.nix b/nixos/modules/services/web-apps/castopod.nix
index 23206ad6c3fdb..0ccba217be4dd 100644
--- a/nixos/modules/services/web-apps/castopod.nix
+++ b/nixos/modules/services/web-apps/castopod.nix
@@ -67,6 +67,8 @@ in
           description = lib.mdDoc ''
             A file containing the password corresponding to
             [](#opt-services.castopod.database.user).
+
+            This file is loaded using systemd LoadCredentials.
           '';
         };
       };
@@ -93,6 +95,8 @@ in
           Environment file to inject e.g. secrets into the configuration.
           See [](https://code.castopod.org/adaures/castopod/-/blob/main/.env.example)
           for available environment variables.
+
+          This file is loaded using systemd LoadCredentials.
         '';
       };
       configureNginx = lib.mkOption {
@@ -207,19 +211,23 @@ in
           echo "analytics.salt=$(cat ${cfg.dataDir}/salt)" >> ${envFile}
 
           ${if (cfg.database.passwordFile != null) then ''
-            echo "database.default.password=$(cat ${lib.escapeShellArg cfg.database.passwordFile})" >> ${envFile}
+            echo "database.default.password=$(cat "$CREDENTIALS_DIRECTORY/dbpasswordfile)" >> ${envFile}
           '' else ''
             echo "database.default.password=" >> ${envFile}
           ''}
 
           ${lib.optionalString (cfg.environmentFile != null) ''
-            cat ${lib.escapeShellArg cfg.environmentFile} >> ${envFile}
+            cat "$CREDENTIALS_DIRECTORY/envfile" >> ${envFile}
           ''}
 
           php ${cfg.package}/share/castopod/spark castopod:database-update
         '';
       serviceConfig = {
         StateDirectory = "castopod";
+        LoadCredential = lib.optional (cfg.environmentFile != null)
+          "envfile:${cfg.environmentFile}"
+        ++ (lib.optional (cfg.database.passwordFile != null)
+          "dbpasswordfile:${cfg.database.passwordFile}");
         WorkingDirectory = "${cfg.package}/share/castopod";
         Type = "oneshot";
         RemainAfterExit = true;
author	sinavir <sinavir@sinavir.fr>	2024-02-23 22:27:24 +0100
committer	Weijia Wang <9713184+wegank@users.noreply.github.com>	2024-04-01 19:16:30 +0200
commit	1bd3ab39c4f6af7a0f73c303873c678066d24f17 (patch)
tree	14e7dbe1516d903aa0c6d172256a94730823b44b /nixos/modules/services/web-apps/castopod.nix
parent	8d3698e8f307890354e4321ee4adb64c8b660993 (diff)