movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-13 21:25:30 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/caddy: add environmentFile option (#363694)

Browse source
This commit is contained in:
cy 2024-12-09 18:50:58 -05:00 committed by GitHub
parent 9268e3f2c3
commit 248081c472
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 36 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

36
nixos/modules/services/web-servers/caddy/default.nix
View file

@ -321,6 +321,41 @@ in
::: :::
''; '';
}; };
environmentFile = mkOption {
type = with types; nullOr path;
default = null;
example = "/run/secrets/caddy.env";
description = ''
Environment file as defined in {manpage}`systemd.exec(5)`.
You can use environment variables to pass secrets to the service without adding
them to the world-redable nix store.
```
# in configuration.nix
services.caddy.environmentFile = "/run/secrets/caddy.env";
services.caddy.globalConfig = '''
{
acme_ca https://acme.zerossl.com/v2/DV90
acme_eab {
key_id {$EAB_KEY_ID}
mac_key {$EAB_MAC_KEY}
}
}
''';
```
```
# in /run/secrets/caddy.env
EAB_KEY_ID=secret
EAB_MAC_KEY=secret
```
Find more examples
[here](https://caddyserver.com/docs/caddyfile/concepts#environment-variables)
'';
};
}; };
# implementation # implementation
@ -378,6 +413,7 @@ in
Restart = "on-failure"; Restart = "on-failure";
RestartPreventExitStatus = 1; RestartPreventExitStatus = 1;
RestartSec = "5s"; RestartSec = "5s";
EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
# TODO: attempt to upstream these options # TODO: attempt to upstream these options
NoNewPrivileges = true; NoNewPrivileges = true;