nixos/bitwarden_rs: add environmentFile option #97371
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
Bitwarden_rs is configured using a systemd environment file, which is locally generated in the module. To pass secrets to the service, one could either use the
config
option or setservices.systemd.bitwarden_rs.environment
.Both of these approaches would lead to having secrets in the world-readable Nix store.
As discussed on IRC, there are a few ways to work around this issue. The ideal solution (as outlined by @ju1m) would probably be to allow the merging of single values and lists of the same type to a single list of definitions (for some of the options available in unit files, such as
EnvironmentFile
andExecStartPre
).But even without the improved option merging, exposing an option
environmentFile
, very much like the one in thealertmanager
module, would make passing secrets easier. The alternative would be to expect users to setsystemd.services.bitwarden_rs.serviceConfig.EnvironmentFile
themselves.Things done
Added the option
environmentFile
to allow passing secrets to the servicewithout adding them to the Nix store, while keeping the current
configuration via the existing environment file intact.
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)