mattermost: add environmentFile option to allow declarative secrets

This adds an option `services.mattermost.environmentFile`, intended to be
useful especially when `services.mattermost.mutableConfig` is set to `false`.
Since all mattermost configuration options can also be set by environment
variables, this allows managing secret configuration values in a declarative
manner without placing them in the nix store.
This commit is contained in:
stuebinm 2023-03-27 20:43:28 +02:00
parent a983cc62cc
commit c29ca6704d
2 changed files with 33 additions and 0 deletions

View file

@ -184,6 +184,22 @@ in
.tar.gz files.
'';
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
description = lib.mdDoc ''
Environment file (see {manpage}`systemd.exec(5)`
"EnvironmentFile=" section for the syntax) which sets config options
for mattermost (see [the mattermost documentation](https://docs.mattermost.com/configure/configuration-settings.html#environment-variables)).
Settings defined in the environment file will overwrite settings
set via nix or via the {option}`services.mattermost.extraConfig`
option.
Useful for setting config options without their value ending up in the
(world-readable) nix store, e.g. for a database password.
'';
};
localDatabaseCreate = mkOption {
type = types.bool;
@ -321,6 +337,7 @@ in
Restart = "always";
RestartSec = "10";
LimitNOFILE = "49152";
EnvironmentFile = cfg.environmentFile;
};
unitConfig.JoinsNamespaceOf = mkIf cfg.localDatabaseCreate "postgresql.service";
};

View file

@ -50,6 +50,13 @@ in
mutableConfig = false;
extraConfig.SupportSettings.HelpLink = "https://search.nixos.org";
};
environmentFile = makeMattermost {
mutableConfig = false;
extraConfig.SupportSettings.AboutLink = "https://example.org";
environmentFile = pkgs.writeText "mattermost-env" ''
MM_SUPPORTSETTINGS_ABOUTLINK=https://nixos.org
'';
};
};
testScript = let
@ -69,6 +76,7 @@ in
rm -f $mattermostConfig
echo "$newConfig" > "$mattermostConfig"
'';
in
''
start_all()
@ -120,5 +128,13 @@ in
# Our edits should be ignored on restart
immutable.succeed("${expectConfig ''.AboutLink == "https://nixos.org" and .HelpLink == "https://search.nixos.org"''}")
## Environment File node tests ##
environmentFile.wait_for_unit("mattermost.service")
environmentFile.wait_for_open_port(8065)
# Settings in the environment file should override settings set otherwise
environmentFile.succeed("${expectConfig ''.AboutLink == "https://nixos.org"''}")
'';
})