Merge pull request #315410 from NixOS/backport-315263-to-release-24.05

[Backport release-24.05] nixos/devpi-server: fix loading credentials as DynamicUser
author: Christina Rust 2024-05-29 18:40:06 +0200
committer: GitHub 2024-05-29 18:40:06 +0200
commit: d163d73f612784e2124f44d404d72a53db69a4b4 (patch)
tree: 90af26b1ff5319ead3089bc2be0fb27506cb6bd9 /nixos
parent: 562c943fdfef5f63e4b79a2cdcc66f28b54f9acf (diff)
parent: cf546b0bf0ee9ee3e6284dbeb45bcc78a9717329 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/nixos/modules/services/misc/devpi-server.nix b/nixos/modules/services/misc/devpi-server.nix
index 0234db4bc2c5..92c0c6206c8b 100644
--- a/nixos/modules/services/misc/devpi-server.nix
+++ b/nixos/modules/services/misc/devpi-server.nix
@@ -74,8 +74,9 @@ in
       # have 0600 permissions.
       preStart =
         ''
-          cp ${cfg.secretFile} ${runtimeDir}/${secretsFileName}
-          chmod 0600 ${runtimeDir}/*${secretsFileName}
+          ${optionalString (!isNull cfg.secretFile)
+            "install -Dm 0600 \${CREDENTIALS_DIRECTORY}/devpi-secret ${runtimeDir}/${secretsFileName}"
+          }
 
           if [ -f ${serverDir}/.nodeinfo ]; then
             # already initialized the package index, exit gracefully
@@ -85,6 +86,9 @@ in
         + strings.optionalString cfg.replica "--role=replica --master-url=${cfg.primaryUrl}";
 
       serviceConfig = {
+        LoadCredential = lib.mkIf (! isNull cfg.secretFile) [
+          "devpi-secret:${cfg.secretFile}"
+        ];
         Restart = "always";
         ExecStart =
           let
author	Christina Rust	2024-05-29 18:40:06 +0200
committer	GitHub	2024-05-29 18:40:06 +0200
commit	d163d73f612784e2124f44d404d72a53db69a4b4 (patch)
tree	90af26b1ff5319ead3089bc2be0fb27506cb6bd9 /nixos
parent	562c943fdfef5f63e4b79a2cdcc66f28b54f9acf (diff)
parent	cf546b0bf0ee9ee3e6284dbeb45bcc78a9717329 (diff)