Sourcehut secrets

[tomberek]

Is there an option to read keys from a file so that they don't end up in the nix store? Something similar to what wireguard has:
networking.wireguard.interfaces.<name>.privateKeyFile instead of networking.wireguard.interfaces.<name>.privateKey?

Originally posted by @pinpox in #113244 (comment)

What's the best way to do this? TOML nor sourcehut allow a "from file" ability. So next best option is to have a config.ini.template in /etc/sr.ht and a service that fills in the details imperatively into the actual config.ini from non-nix-store'd files prior to services starting?

[Artturin]

implement it upstream?

[pinpox]

@tomberek Are you planning on implementing this? I can't really use the current module without giving all users on my system access to the keys (they can obviously read the nix store) and also I keep my nixos configs in public repository, which currently would expose the secret to the world.

So next best option is to have a config.ini.template in /etc/sr.ht and a service that fills in the details imperatively into the actual config.ini from non-nix-store'd files prior to services starting?

I think this is the way to go, there are other examples of modules doing this in nixpgks, I think the mattermost module does something similar using the preStart directive of the systemd unit.

[pinpox]

@tomberek Another option that would be possible without too much rework:

We could just add an option to use a predefined settings file. In addition to to services.sourcehut.settings there could be a services.sourcehut.configFilePath or similar that just allows to use a static file as configuration. The settings and configFilePath options would be mutually exclusive.

[tomberek]

Being worked on in 133984.