From c29ca6704dfd562e22bc60ad3d650d753f4bb22f Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Mon, 27 Mar 2023 20:43:28 +0200
Subject: [PATCH] mattermost: add environmentFile option to allow declarative
 secrets

This adds an option `services.mattermost.environmentFile`, intended to be
useful especially when `services.mattermost.mutableConfig` is set to `false`.
Since all mattermost configuration options can also be set by environment
variables, this allows managing secret configuration values in a declarative
manner without placing them in the nix store.
---
 nixos/modules/services/web-apps/mattermost.nix | 17 +++++++++++++++++
 nixos/tests/mattermost.nix                     | 16 ++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/nixos/modules/services/web-apps/mattermost.nix b/nixos/modules/services/web-apps/mattermost.nix
index 56a53198b3fb..db5122e79f00 100644
--- a/nixos/modules/services/web-apps/mattermost.nix
+++ b/nixos/modules/services/web-apps/mattermost.nix
@@ -184,6 +184,22 @@ in
           .tar.gz files.
         '';
       };
+      environmentFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        description = lib.mdDoc ''
+          Environment file (see {manpage}`systemd.exec(5)`
+          "EnvironmentFile=" section for the syntax) which sets config options
+          for mattermost (see [the mattermost documentation](https://docs.mattermost.com/configure/configuration-settings.html#environment-variables)).
+
+          Settings defined in the environment file will overwrite settings
+          set via nix or via the {option}`services.mattermost.extraConfig`
+          option.
+
+          Useful for setting config options without their value ending up in the
+          (world-readable) nix store, e.g. for a database password.
+        '';
+      };
 
       localDatabaseCreate = mkOption {
         type = types.bool;
@@ -321,6 +337,7 @@ in
           Restart = "always";
           RestartSec = "10";
           LimitNOFILE = "49152";
+          EnvironmentFile = cfg.environmentFile;
         };
         unitConfig.JoinsNamespaceOf = mkIf cfg.localDatabaseCreate "postgresql.service";
       };
diff --git a/nixos/tests/mattermost.nix b/nixos/tests/mattermost.nix
index 49b418d9fff7..e11201f05357 100644
--- a/nixos/tests/mattermost.nix
+++ b/nixos/tests/mattermost.nix
@@ -50,6 +50,13 @@ in
       mutableConfig = false;
       extraConfig.SupportSettings.HelpLink = "https://search.nixos.org";
     };
+    environmentFile = makeMattermost {
+      mutableConfig = false;
+      extraConfig.SupportSettings.AboutLink = "https://example.org";
+      environmentFile = pkgs.writeText "mattermost-env" ''
+        MM_SUPPORTSETTINGS_ABOUTLINK=https://nixos.org
+      '';
+    };
   };
 
   testScript = let
@@ -69,6 +76,7 @@ in
       rm -f $mattermostConfig
       echo "$newConfig" > "$mattermostConfig"
     '';
+
   in
   ''
     start_all()
@@ -120,5 +128,13 @@ in
 
     # Our edits should be ignored on restart
     immutable.succeed("${expectConfig ''.AboutLink == "https://nixos.org" and .HelpLink == "https://search.nixos.org"''}")
+
+
+    ## Environment File node tests ##
+    environmentFile.wait_for_unit("mattermost.service")
+    environmentFile.wait_for_open_port(8065)
+
+    # Settings in the environment file should override settings set otherwise
+    environmentFile.succeed("${expectConfig ''.AboutLink == "https://nixos.org"''}")
   '';
 })