Motivation for this change

Bitwarden_rs is configured using a systemd environment file, which is locally generated in the module. To pass secrets to the service, one could either use the config option or set services.systemd.bitwarden_rs.environment.
Both of these approaches would lead to having secrets in the world-readable Nix store.

As discussed on IRC, there are a few ways to work around this issue. The ideal solution (as outlined by @ju1m) would probably be to allow the merging of single values and lists of the same type to a single list of definitions (for some of the options available in unit files, such as EnvironmentFile and ExecStartPre).

But even without the improved option merging, exposing an option environmentFile, very much like the one in the alertmanager module, would make passing secrets easier. The alternative would be to expect users to set systemd.services.bitwarden_rs.serviceConfig.EnvironmentFile themselves.

Things done

Added the option environmentFile to allow passing secrets to the service
without adding them to the Nix store, while keeping the current
configuration via the existing environment file intact.

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.