Commit d3a14651 authored by Bruno BELANYI's avatar Bruno BELANYI
Browse files

nixos/aria2: implement 'rpcSecretFile' 

Since this is supposed to be a secret, use a file path as an input
instead of making it part of the expression, which would expose it in
the nix store.
parent 64cab3aa

nixos/modules/services/networking/aria2.nix

+10 −5
Original line number Diff line number Diff line
@@ -18,11 +18,14 @@ let 
    dir=${cfg.downloadDir}

    listen-port=${concatStringsSep "," (rangesToStringList cfg.listenPortRange)}

    rpc-listen-port=${toString cfg.rpcListenPort}

    rpc-secret=${cfg.rpcSecret}

  '';



in

{

  imports = [

    (mkRemovedOptionModule [ "services" "aria2" "rpcSecret" ] "Use services.aria2.rpcSecretFile instead")

  ];



  options = {

    services.aria2 = {

      enable = mkOption {
@@ -65,11 +68,11 @@ in 
        default = 6800;

        description = lib.mdDoc "Specify a port number for JSON-RPC/XML-RPC server to listen to. Possible Values: 1024-65535";

      };

      rpcSecret = mkOption {

        type = types.str;

        default = "aria2rpc";

      rpcSecretFile = mkOption {

        type = types.path;

        example = "/run/secrets/aria2-rpc-token.txt";

        description = lib.mdDoc ''

          Set RPC secret authorization token.

          A file containing the RPC secret authorization token.

          Read https://aria2.github.io/manual/en/html/aria2c.html#rpc-auth to know how this option value is used.

        '';

      };
@@ -117,6 +120,7 @@ in 
          touch "${sessionFile}"

        fi

        cp -f "${settingsFile}" "${settingsDir}/aria2.conf"

        echo "rpc-secret=$(cat "$CREDENTIALS_DIRECTORY/rpcSecretFile")" >> "${settingsDir}/aria2.conf"

      '';



      serviceConfig = {
@@ -125,6 +129,7 @@ in 
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

        User = "aria2";

        Group = "aria2";

        LoadCredential="rpcSecretFile:${cfg.rpcSecretFile}";

      };

    };

  };