nixos/szurubooru: load secrets with systemd credentials + config permissions (#427525)

          ]);

        script = ''

          export SZURUBOORU_SECRET="$(<${cfg.server.settings.secretFile})"

          export SZURUBOORU_DATABASE_PASSWORD="$(<${cfg.database.passwordFile})"

          export SZURUBOORU_SECRET="$(<$CREDENTIALS_DIRECTORY/secret)"

          export SZURUBOORU_DATABASE_PASSWORD="$(<$CREDENTIALS_DIRECTORY/database)"

          ${lib.optionalString (cfg.server.settings.smtp.passFile != null) ''

            export SZURUBOORU_SMTP_PASS=$(<${cfg.server.settings.smtp.passFile})

            export SZURUBOORU_SMTP_PASS=$(<$CREDENTIALS_DIRECTORY/smtp)

          ''}

          install -m0640 ${cfg.server.package.src}/config.yaml.dist ${cfg.dataDir}/config.yaml.dist

          touch ${cfg.dataDir}/config.yaml

          chmod 0640 ${cfg.dataDir}/config.yaml

          envsubst -i ${configFile} -o ${cfg.dataDir}/config.yaml

          sed 's|script_location = |script_location = ${cfg.server.package.src}/|' ${cfg.server.package.src}/alembic.ini > ${cfg.dataDir}/alembic.ini

          alembic upgrade head

        '';

        serviceConfig = {

          LoadCredential = [

            "secret:${cfg.server.settings.secretFile}"

            "database:${cfg.database.passwordFile}"

          ]

          ++ (lib.optionals (cfg.server.settings.smtp.passFile != null) [

            "smtp:${cfg.server.settings.smtp.passFile}"

          ]);

          User = cfg.user;

          Group = cfg.group;