diff --git a/nixos/modules/services/matrix/matrix-authentication-service.nix b/nixos/modules/services/matrix/matrix-authentication-service.nix index 8ff62f0dbf28..18648d2e3451 100644 --- a/nixos/modules/services/matrix/matrix-authentication-service.nix +++ b/nixos/modules/services/matrix/matrix-authentication-service.nix @@ -11,16 +11,15 @@ let filter filterAttrs getExe + getExe' isAttrs isList mapAttrs - mkDefault mkEnableOption mkIf mkOption mkPackageOption optional - optionalAttrs types ; @@ -45,6 +44,11 @@ let else pruned; configFile = format.generate "config.yaml" finalSettings; + + extraConfigFiles = lib.imap0 ( + i: _: "$CREDENTIALS_DIRECTORY/config-${toString i}" + ) cfg.extraConfigFiles; + runtimeConfig = "/run/matrix-authentication-service/config.yaml"; in { meta.maintainers = with lib.maintainers; [ @@ -370,6 +374,23 @@ in such as the Matrix homeserver if it's running on the same host. ''; }; + + credentials = lib.mkOption { + type = lib.types.attrsOf lib.types.str; + default = { }; + description = '' + Mapping of credential name to source file-path. Exposed to the unit via LoadCredential and + readable inside the service at `''${CREDENTIALS_DIRECTORY}/`. + + For example: + + ``` + services.matrix-authentication-service.credentials."synapse-secret" = "/run/agenix/synapse-shared"; + services.matrix-authentication-service.settings.matrix.secret_file = + "\''${CREDENTIALS_DIRECTORY}/synapse-secret"; + ``` + ''; + }; }; config = mkIf cfg.enable { @@ -390,13 +411,20 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig = { DynamicUser = true; - ExecStartPre = '' - ${getExe cfg.package} config check \ - ${concatMapStringsSep " " (x: "--config ${x}") ([ configFile ] ++ cfg.extraConfigFiles)} + LoadCredential = + (lib.imap0 (i: path: "config-${toString i}:${path}") cfg.extraConfigFiles) + ++ (lib.mapAttrsToList (name: path: "${name}:${path}") cfg.credentials); + ExecStartPre = pkgs.writeShellScript "mas-prepare" '' + ${getExe' pkgs.gettext "envsubst"} \ + '$CREDENTIALS_DIRECTORY' \ + < ${configFile} \ + > /run/matrix-authentication-service/config.yaml + ${getExe cfg.package} config check --config ${runtimeConfig} \ + ${concatMapStringsSep " " (x: "--config ${x}") extraConfigFiles} ''; ExecStart = '' - ${getExe cfg.package} server \ - ${concatMapStringsSep " " (x: "--config ${x}") ([ configFile ] ++ cfg.extraConfigFiles)} + ${getExe cfg.package} server --config ${runtimeConfig} \ + ${concatMapStringsSep " " (x: "--config ${x}") extraConfigFiles} ''; Restart = "on-failure"; RestartSec = "1s"; @@ -438,6 +466,7 @@ in # Working and state directories StateDirectory = "matrix-authentication-service"; StateDirectoryMode = "0700"; + RuntimeDirectory = "matrix-authentication-service"; WorkingDirectory = "/var/lib/matrix-authentication-service"; }; }; diff --git a/nixos/tests/matrix/matrix-authentication-service.nix b/nixos/tests/matrix/matrix-authentication-service.nix index 2e93652b495e..9194b1fc56cd 100644 --- a/nixos/tests/matrix/matrix-authentication-service.nix +++ b/nixos/tests/matrix/matrix-authentication-service.nix @@ -237,13 +237,14 @@ in { id = masULID; client_id = oidcClientID; - client_secret = oidcClientSecret; + client_secret_file = "\${CREDENTIALS_DIRECTORY}/oidc_client_secret"; issuer = "https://${dexDomain}:5556"; scope = "openid email profile"; token_endpoint_auth_method = "client_secret_post"; } ]; }; + credentials.oidc_client_secret = "${pkgs.writeText "oidc-client-secret" oidcClientSecret}"; }; services.postgresql.authentication = pkgs.lib.mkOverride 10 '' local all all trust