nixos-config/modules/nginx.nix

41 lines
1.1 KiB
Nix
Raw Normal View History

{ config, lib, ... }:
let
cfg = config.services.nginx;
in
{
options.services.nginx.secrets = lib.mkOption {
type = with lib.types; listOf (either str path);
default = [ ];
description = "Secrets to be copied to `/run/nginx/secrets/`";
};
config.systemd = lib.mkIf (lib.length cfg.secrets != 0) {
services = {
nginx-secrets = {
description = "Secrets for nginx";
wantedBy = [ "nginx.service" ];
partOf = [ "nginx.service" ];
serviceConfig.Type = "oneshot";
script = ''
rm -rf /run/nginx/secrets
install -o ${cfg.user} -g ${cfg.group} -m 700 -d /run/nginx/secrets
'' + lib.concatStrings (map
(secret: ''
install -o ${cfg.user} -g ${cfg.group} -m 600 ${toString secret} /run/nginx/secrets
'')
cfg.secrets);
};
nginx.after = [ "nginx-secrets.service" ];
};
paths.nginx-secrets = {
wantedBy = [ "nginx-secrets.service" ];
partOf = [ "nginx-secrets.service" ];
pathConfig = {
PathModified = "/var/src/secrets";
Unit = "nginx-secrets.service";
};
};
};
}