nixos-config/modules/nginx.nix

{ config, lib, ... }:
let
  cfg = config.services.nginx;
in
{
  options.services.nginx.secrets = lib.mkOption {
    type = with lib.types; listOf (either str path);
    default = [ ];
    description = "Secrets to be copied to `/run/nginx/secrets/`";
  };

  config.systemd = lib.mkIf (lib.length cfg.secrets != 0) {
    services = {
      nginx-secrets = {
        description = "Secrets for nginx";
        wantedBy = [ "nginx.service" ];
        partOf = [ "nginx.service" ];
        serviceConfig.Type = "oneshot";

        script = ''
          rm -rf /run/nginx/secrets
          install -o ${cfg.user} -g ${cfg.group} -m 700 -d /run/nginx/secrets
        '' + lib.concatStrings (map
          (secret: ''
            install -o ${cfg.user} -g ${cfg.group} -m 600 ${toString secret} /run/nginx/secrets
          '')
          cfg.secrets);
      };
      nginx.after = [ "nginx-secrets.service" ];
    };
    paths.nginx-secrets = {
      wantedBy = [ "nginx-secrets.service" ];
      partOf = [ "nginx-secrets.service" ];
      pathConfig = {
        PathModified = "/var/src/secrets";
        Unit = "nginx-secrets.service";
      };
    };
  };
}
Add media-proxy This also adds secrets management for nginx. It is far from perfect (e.g. nginx does not get reloaded when a secret changes). 2020-12-31 15:44:24 +01:00			`{ config, lib, ... }:`
			`let`
			`cfg = config.services.nginx;`
			`in`
			`{`
			`options.services.nginx.secrets = lib.mkOption {`
			`type = with lib.types; listOf (either str path);`
			`default = [ ];`
			description = "Secrets to be copied to `/run/nginx/secrets/`";
			`};`

			`config.systemd = lib.mkIf (lib.length cfg.secrets != 0) {`
			`services = {`
			`nginx-secrets = {`
			`description = "Secrets for nginx";`
			`wantedBy = [ "nginx.service" ];`
			`partOf = [ "nginx.service" ];`
			`serviceConfig.Type = "oneshot";`

			`script = ''`
			`rm -rf /run/nginx/secrets`
			`install -o ${cfg.user} -g ${cfg.group} -m 700 -d /run/nginx/secrets`
			`'' + lib.concatStrings (map`
			`(secret: ''`
			`install -o ${cfg.user} -g ${cfg.group} -m 600 ${toString secret} /run/nginx/secrets`
			`'')`
			`cfg.secrets);`
			`};`
			`nginx.after = [ "nginx-secrets.service" ];`
			`};`
			`paths.nginx-secrets = {`
			`wantedBy = [ "nginx-secrets.service" ];`
			`partOf = [ "nginx-secrets.service" ];`
			`pathConfig = {`
			`PathModified = "/var/src/secrets";`
			`Unit = "nginx-secrets.service";`
			`};`
			`};`
			`};`
			`}`