Unverified Commit 4c21b284 authored by Jennifer Graul's avatar Jennifer Graul
Browse files

nixos/peering-manager: add environmentFile option

parent 6f35ae80

nixos/modules/services/web-apps/peering-manager.nix

+46 −2
Original line number Diff line number Diff line
@@ -19,11 +19,13 @@ let 
    settingsFile

    extraConfigFile

  ];

  finalConfigFile =

    if (cfg.environmentFile != null) then "/var/lib/peering-manager/configuration.py" else configFile;



  pkg =

    (pkgs.peering-manager.overrideAttrs (old: {

      postInstall = ''

        ln -s ${configFile} $out/opt/peering-manager/peering_manager/configuration.py

        ln -s ${finalConfigFile} $out/opt/peering-manager/peering_manager/configuration.py

      ''

      + lib.optionalString cfg.enableLdap ''

        ln -s ${cfg.ldapConfigPath} $out/opt/peering-manager/peering_manager/ldap_config.py
@@ -52,6 +54,32 @@ in 
      '';

    };



    environmentFile = mkOption {

      type = with types; nullOr path;

      default = null;

      example = "/run/secrets/peering-manager.env";

      description = ''

        Environment file as defined in {manpage}`systemd.exec(5)`.



        Secrets may be passed to the service without adding them to the world-readable

        Nix store, by specifying placeholder variables as the option value in Nix and

        setting these variables accordingly in the environment file.



        ```

          # snippet of peering-manager-related config

          services.peering-manager.settings.SOCIAL_AUTH_OIDC_SECRET = "$PM_OIDC_SECRET";

        ```



        ```

          # content of the environment file

          PM_OIDC_SECRET=topsecret

        ```



        Note that this file needs to be available on the host on which

        `peering-manager` is running.

      '';

    };



    enableScheduledTasks = mkOption {

      type = types.bool;

      default = true;
@@ -249,9 +277,22 @@ in 
        };

      in

      {

        peering-manager-config = lib.mkIf (cfg.environmentFile != null) (

          lib.recursiveUpdate defaults {

            description = "Peering Manager config file setup";

            wantedBy = [ "peering-manager.target" ];

            serviceConfig = {

              Type = "oneshot";

              EnvironmentFile = [ cfg.environmentFile ];

              ExecStart = "${lib.getExe pkgs.envsubst} -i ${configFile} -o ${finalConfigFile}";

            };

          }

        );



        peering-manager-migration = lib.recursiveUpdate defaults {

          description = "Peering Manager migrations";

          wantedBy = [ "peering-manager.target" ];

          after = lib.mkIf (cfg.environmentFile != null) [ "peering-manager-config.service" ];

          serviceConfig = {

            Type = "oneshot";

            ExecStart = "${pkg}/bin/peering-manager migrate";
@@ -261,7 +302,10 @@ in 
        peering-manager = lib.recursiveUpdate defaults {

          description = "Peering Manager WSGI Service";

          wantedBy = [ "peering-manager.target" ];

          after = [ "peering-manager-migration.service" ];

          after = [

            "peering-manager-migration.service"

          ]

          ++ lib.optionals (cfg.environmentFile != null) [ "peering-manager-config.service" ];



          preStart = ''

            ${pkg}/bin/peering-manager remove_stale_contenttypes --no-input