nixos/caddy: add environmentFile option (#363694)

2025-06-11 20:25:32 +03:00 · 2024-12-09 18:50:58 -05:00 · 2024-12-09 18:50:58 -05:00 · 248081c472
commit 248081c472
parent 9268e3f2c3
1 changed files with 36 additions and 0 deletions
--- a/nixos/modules/services/web-servers/caddy/default.nix
+++ b/nixos/modules/services/web-servers/caddy/default.nix
@ -321,6 +321,41 @@ in
        :::
      '';
    };
+
+    environmentFile = mkOption {
+      type = with types; nullOr path;
+      default = null;
+      example = "/run/secrets/caddy.env";
+      description = ''
+        Environment file as defined in {manpage}`systemd.exec(5)`.
+
+        You can use environment variables to pass secrets to the service without adding
+        them to the world-redable nix store.
+
+        ```
+        # in configuration.nix
+        services.caddy.environmentFile = "/run/secrets/caddy.env";
+        services.caddy.globalConfig = '''
+          {
+            acme_ca https://acme.zerossl.com/v2/DV90
+            acme_eab {
+              key_id {$EAB_KEY_ID}
+              mac_key {$EAB_MAC_KEY}
+            }
+          }
+        ''';
+        ```
+
+        ```
+        # in /run/secrets/caddy.env
+        EAB_KEY_ID=secret
+        EAB_MAC_KEY=secret
+        ```
+
+        Find more examples
+        [here](https://caddyserver.com/docs/caddyfile/concepts#environment-variables)
+      '';
+    };
  };

  # implementation
@ -378,6 +413,7 @@ in
        Restart = "on-failure";
        RestartPreventExitStatus = 1;
        RestartSec = "5s";
+        EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;

        # TODO: attempt to upstream these options
        NoNewPrivileges = true;