surrealdb: module: add secret management

2022-12-10 10:18:50 -05:00 · 2022-12-10 10:18:50 -05:00 · bdf8a69ecc
parent f6c0dcfb9e
commit bdf8a69ecc
1 changed files with 26 additions and 1 deletions
--- a/nixos/modules/services/databases/surrealdb.nix
+++ b/nixos/modules/services/databases/surrealdb.nix
@ -37,6 +37,20 @@ in {
        default = 8000;
        example = 8000;
      };
+
+      userNamePath = mkOption {
+        type = types.path;
+        description = lib.mdDoc ''
+          Path to read the username from.
+        '';
+      };
+
+      passwordPath = mkOption {
+        type = types.path;
+        description = lib.mdDoc ''
+          Path to read the password from.
+        '';
+      };
    };
  };

@ -50,8 +64,19 @@ in {
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

+      script = ''
+        ${pkgs.surrealdb}/bin/surreal start \
+          --user $(${pkgs.systemd}/bin/systemd-creds cat SURREALDB_USERNAME) \
+          --pass $(${pkgs.systemd}/bin/systemd-creds cat SURREALDB_PASSWORD) \
+          --bind ${cfg.host}:${toString cfg.port} \
+          -- ${cfg.dbPath}
+      '';
      serviceConfig = {
-        ExecStart = "${pkgs.surrealdb}/bin/surreal start --bind ${cfg.host}:${toString cfg.port} ${optionalString (cfg.dbPath != null) "-- ${cfg.dbPath}"}";
+        LoadCredential = [
+          "SURREALDB_USERNAME:${cfg.userNamePath}"
+          "SURREALDB_PASSWORD:${cfg.passwordPath}"
+        ];
+
        DynamicUser = true;
        Restart = "on-failure";
        StateDirectory = "surrealdb";