Simon Bruder
cb913a9b00
This also adds secrets management for nginx. It is far from perfect (e.g. nginx does not get reloaded when a secret changes).
41 lines
1.1 KiB
Nix
41 lines
1.1 KiB
Nix
{ config, lib, ... }:
|
|
let
|
|
cfg = config.services.nginx;
|
|
in
|
|
{
|
|
options.services.nginx.secrets = lib.mkOption {
|
|
type = with lib.types; listOf (either str path);
|
|
default = [ ];
|
|
description = "Secrets to be copied to `/run/nginx/secrets/`";
|
|
};
|
|
|
|
config.systemd = lib.mkIf (lib.length cfg.secrets != 0) {
|
|
services = {
|
|
nginx-secrets = {
|
|
description = "Secrets for nginx";
|
|
wantedBy = [ "nginx.service" ];
|
|
partOf = [ "nginx.service" ];
|
|
serviceConfig.Type = "oneshot";
|
|
|
|
script = ''
|
|
rm -rf /run/nginx/secrets
|
|
install -o ${cfg.user} -g ${cfg.group} -m 700 -d /run/nginx/secrets
|
|
'' + lib.concatStrings (map
|
|
(secret: ''
|
|
install -o ${cfg.user} -g ${cfg.group} -m 600 ${toString secret} /run/nginx/secrets
|
|
'')
|
|
cfg.secrets);
|
|
};
|
|
nginx.after = [ "nginx-secrets.service" ];
|
|
};
|
|
paths.nginx-secrets = {
|
|
wantedBy = [ "nginx-secrets.service" ];
|
|
partOf = [ "nginx-secrets.service" ];
|
|
pathConfig = {
|
|
PathModified = "/var/src/secrets";
|
|
Unit = "nginx-secrets.service";
|
|
};
|
|
};
|
|
};
|
|
}
|