atuin: Allow setting database.uri to null

When a password is required to connect to postgres using services.atuin.database.uri directly would make the password be written in the nix store, which is suboptimal. Instead we can have the password in a file accessible only to root by having systemd read an EnvironmentFile directly, but we must ensure that this file has priority over the environment set. Not setting the variable in this case is more straightforward.
2024-02-22 21:10:36 +09:00 · 2024-02-22 21:10:36 +09:00 · 85ee3198c7
commit 85ee3198c7
parent 5863c27340
1 changed files with 7 additions and 3 deletions
--- a/nixos/modules/services/misc/atuin.nix
+++ b/nixos/modules/services/misc/atuin.nix
@ -52,10 +52,13 @@ in
        };

        uri = mkOption {
-          type = types.str;
+          type = types.nullOr types.str;
          default = "postgresql:///atuin?host=/run/postgresql";
          example = "postgresql://atuin@localhost:5432/atuin";
-          description = mdDoc "URI to the database";
+          description = mdDoc ''
+            URI to the database.
+            Can be set to null in which case ATUIN_DB_URI should be set through an EnvironmentFile
+          '';
        };
      };
    };
@ -132,9 +135,10 @@ in
        ATUIN_PORT = toString cfg.port;
        ATUIN_MAX_HISTORY_LENGTH = toString cfg.maxHistoryLength;
        ATUIN_OPEN_REGISTRATION = lib.boolToString cfg.openRegistration;
-        ATUIN_DB_URI = cfg.database.uri;
        ATUIN_PATH = cfg.path;
        ATUIN_CONFIG_DIR = "/run/atuin"; # required to start, but not used as configuration is via environment variables
+      } // lib.optionalAttrs (cfg.database.uri != null) {
+        ATUIN_DB_URI = cfg.database.uri;
      };
    };