Unverified Commit 3a337a0a authored by Emi Katagiri-Simpson's avatar Emi Katagiri-Simpson
Browse files

nixos/send: Add `environmentFile` option for securely passing secrets 

Currently, NixOS's module for Send (fka. Firefox Send) lacks a way to
securely configure the cloud storage backends supported upstream.  While
it is technically possible to use these backends by passing credentials
using the `environment` option, this creates a well known security risk
by exposing credentials in the Nix store.

This change adds an `environmentFile` option, which accepts a path that
is subsequently passed to the `serviceConfig.EnvironmentFile` systemd
setting, thereby allowing users to use agenix or other secure secret
passing schemes of their chosing.

Module maintainer: @moraxyc (hi again!)
parent e4b5e213

nixos/modules/services/web-servers/send.nix

+17 −0
Original line number Diff line number Diff line
@@ -46,6 +46,22 @@ in 
        };

      };



      environmentFile = mkOption {

        default = null;

        description = ''

          Environment file (see {manpage}`systemd.exec(5)` "EnvironmentFile="

          section for the syntax) passed to the service. This option is the

          recommended way to pass secrets to Send.



          This is especially important for users using a cloud storage backend.



          A list of environment variables recognized by Send can be found here:

          <https://github.com/timvisee/send/blob/master/docs/docker.md>

        '';

        example = "/run/secrets/send";

        type = with types; nullOr path;

      };



      dataDir = lib.mkOption {

        type = types.path;

        readOnly = true;
@@ -159,6 +175,7 @@ in 
        LoadCredential = lib.optionalString (

          cfg.redis.passwordFile != null

        ) "redis-password:${cfg.redis.passwordFile}";

        EnvironmentFile = cfg.environmentFile;



        # Hardening

        RestrictAddressFamilies = [