nixos/resilio: support secret files

          <link xlink:href="https://search.nixos.org/packages?channel=unstable&amp;show=utm&amp;from=0&amp;size=1&amp;sort=relevance&amp;type=packages&amp;query=utm">package</link>.

        </para>

      </listitem>

      <listitem>

        <para>

          Resilio sync secret keys can now be provided using a secrets

          file at runtime, preventing these secrets from ending up in

          the Nix store.

        </para>

      </listitem>

    </itemizedlist>

  </section>

</section>

- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules)

- A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm).

- Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.

  resilioSync = pkgs.resilio-sync;

  sharedFoldersRecord = map (entry: {

    secret = entry.secret;

    dir = entry.directory;

    use_relay_server = entry.useRelayServer;

    shared_folders = sharedFoldersRecord;

  }));

  sharedFoldersSecretFiles = map (entry: {

    dir = entry.directory;

    secretFile = if builtins.hasAttr "secret" entry then

      toString (pkgs.writeTextFile {

        name = "secret-file";

        text = entry.secret;

      })

    else

      entry.secretFile;

  }) cfg.sharedFolders;

  runConfigPath = "/run/rslsync/config.json";

  createConfig = pkgs.writeShellScriptBin "create-resilio-config" ''

    ${pkgs.jq}/bin/jq \

      '.shared_folders |= map(.secret = $ARGS.named[.dir])' \

      ${

        lib.concatMapStringsSep " \\\n  "

        (entry: ''--arg '${entry.dir}' "$(cat '${entry.secretFile}')"'')

        sharedFoldersSecretFiles

      } \

      <${configFile} \

      >${runConfigPath}

  '';

in

{

  options = {

        default = [];

        type = types.listOf (types.attrsOf types.anything);

        example =

          [ { secret         = "AHMYFPCQAHBM7LQPFXQ7WV6Y42IGUXJ5Y";

          [ { secretFile     = "/run/resilio-secret";

              directory      = "/home/user/sync_test";

              useRelayServer = true;

              useTracker     = true;

        description = lib.mdDoc ''

          Shared folder list. If enabled, web UI must be

          disabled. Secrets can be generated using `rslsync --generate-secret`.

          Note that this secret will be

          put inside the Nix store, so it is realistically not very

          secret.

          If you would like to be able to modify the contents of this

          directories, it is recommended that you make your user a

        Restart   = "on-abort";

        UMask     = "0002";

        User      = "rslsync";

        RuntimeDirectory = "rslsync";

        ExecStartPre = "${createConfig}/bin/create-resilio-config";

        ExecStart = ''

          ${resilioSync}/bin/rslsync --nodaemon --config ${configFile}

          ${resilioSync}/bin/rslsync --nodaemon --config ${runConfigPath}

        '';

      };

    };