pumpio service: don't keep secrets in nix store

Added extra config options to allow reading passwords from file rather
than the world-readable nix store.

The full config.json file is created at service startup.

Relevant to #18881

nixos/modules/services/web-apps/pump.io-configure.js

@@ -0,0 +1,23 @@
+var fs = require('fs');
+
+var opts = JSON.parse(fs.readFileSync("/dev/stdin").toString());
+var config = opts.config;
+
+var readSecret = function(filename) {
+  return fs.readFileSync(filename).toString().trim();
+};
+
+if (opts.secretFile) {
+  config.secret = readSecret(opts.secretFile);
+}
+if (opts.dbPasswordFile) {
+  config.params.dbpass = readSecret(opts.dbPasswordFile);
+}
+if (opts.smtpPasswordFile) {
+  config.smtppass = readSecret(opts.smtpPasswordFile);
+}
+if (opts.spamClientSecretFile) {
+  config.spamclientsecret = readSecret(opts.opts.spamClientSecretFile);
+}
+
+fs.writeFileSync(opts.outputFile, JSON.stringify(config));