nixos/teeworlds: add option environmentFile for injecting secrets (#334590)

2024-11-17 19:21:04 +00:00 · 2024-09-10 18:30:00 +03:00 · 2024-09-10 18:30:00 +03:00 · 95db943c8d
parent 7a199f5dd6 a719f91a85
commit 95db943c8d
1 changed files with 36 additions and 1 deletions
--- a/nixos/modules/services/games/teeworlds.nix
+++ b/nixos/modules/services/games/teeworlds.nix
@ -368,6 +368,33 @@ in
          '';
        };
      };
+
+      environmentFile = lib.mkOption {
+        type = lib.types.nullOr lib.types.path;
+        default = null;
+        example = "/var/lib/teeworlds/teeworlds.env";
+        description = ''
+          Environment file as defined in {manpage}`systemd.exec(5)`.
+
+          Secrets may be passed to the service without adding them to the world-readable
+          Nix store, by specifying placeholder variables as the option value in Nix and
+          setting these variables accordingly in the environment file.
+
+          ```
+            # snippet of teeworlds-related config
+            services.teeworlds.password = "$TEEWORLDS_PASSWORD";
+          ```
+
+          ```
+            # content of the environment file
+            TEEWORLDS_PASSWORD=verysecretpassword
+          ```
+
+          Note that this file needs to be available on the host on which
+          `teeworlds` is running.
+        '';
+      };
+
    };
  };

@ -383,7 +410,15 @@ in

      serviceConfig = {
        DynamicUser = true;
-        ExecStart = "${cfg.package}/bin/teeworlds_srv -f ${teeworldsConf}";
+        RuntimeDirectory = "teeworlds";
+        RuntimeDirectoryMode = "0700";
+        EnvironmentFile = lib.mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
+        ExecStartPre = ''
+          ${pkgs.envsubst}/bin/envsubst \
+            -i ${teeworldsConf} \
+            -o /run/teeworlds/teeworlds.yaml
+        '';
+        ExecStart = "${lib.getExe cfg.package} -f /run/teeworlds/teeworlds.yaml";

        # Hardening
        CapabilityBoundingSet = false;