pyrox.dev / nixpkgs
lol
fork atom

nixos/bitwarden_rs: add environmentFile option

Add the option `environmentFile` to allow passing secrets to the service
without adding them to the Nix store, while keeping the current
configuration via the existing environment file intact.

WilliButz 76362dd7 7bd175ca

options
unified split
Changed files
+18 -1
nixos
modules
services
security
bitwarden_rs
default.nix
+18 -1
nixos/modules/services/security/bitwarden_rs/default.nix 
···

       
81

       
81

       
 

       
        <link xlink:href="https://github.com/dani-garcia/bitwarden_rs/blob/${bitwarden_rs.version}/.env.template">the environment template file</link>.


     

       
82

       
82

       
 

       
      '';


     

       
83

       
83

       
 

       
    };


     

       

       
84

       
+

       



     

       

       
85

       
+

       
    environmentFile = mkOption {


     

       

       
86

       
+

       
      type = with types; nullOr path;


     

       

       
87

       
+

       
      default = null;


     

       

       
88

       
+

       
      example = "/root/bitwarden_rs.env";


     

       

       
89

       
+

       
      description = ''


     

       

       
90

       
+

       
        Additional environment file as defined in <citerefentry>


     

       

       
91

       
+

       
        <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>


     

       

       
92

       
+

       
        </citerefentry>.


     

       

       
93

       
+

       



     

       

       
94

       
+

       
        Secrets like <envar>ADMIN_TOKEN</envar> and <envar>SMTP_PASSWORD</envar>


     

       

       
95

       
+

       
        may be passed to the service without adding them to the world-readable Nix store.


     

       

       
96

       
+

       



     

       

       
97

       
+

       
        Note that this file needs to be available on the host on which


     

       

       
98

       
+

       
        <literal>bitwarden_rs</literal> is running.


     

       

       
99

       
+

       
      '';


     

       

       
100

       
+

       
    };


     

       
84

       
101

       
 

       
  };


     

       
85

       
102

       
 

       



     

       
86

       
103

       
 

       
  config = mkIf cfg.enable {


     
···

       
101

       
118

       
 

       
      serviceConfig = {


     

       
102

       
119

       
 

       
        User = user;


     

       
103

       
120

       
 

       
        Group = group;


     

       
104

       

       
-

       
        EnvironmentFile = configFile;


     

       

       
121

       
+

       
        EnvironmentFile = [ configFile ] ++ optional (cfg.environmentFile != null) cfg.environmentFile;


     

       
105

       
122

       
 

       
        ExecStart = "${bitwarden_rs}/bin/bitwarden_rs";


     

       
106

       
123

       
 

       
        LimitNOFILE = "1048576";


     

       
107

       
124

       
 

       
        LimitNPROC = "64";