hades: secret config for mealie

alarsyo · Jan 17, 2025 · 78b96dd · 78b96dd
1 parent 6aca4f9
commit 78b96dd
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 0 deletions.
diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix
@@ -84,6 +84,7 @@ in {
     mealie = {
       enable = true;
       port = 8090;
+      credentialsFile = config.age.secrets."mealie/secret-config".path;
     };
 
     microbin = {

diff --git a/hosts/hades/secrets.nix b/hosts/hades/secrets.nix
@@ -22,6 +22,8 @@
           owner = "matrix-synapse";
         };
 
+        "mealie/secret-config" = {};
+
         "microbin/secret-config" = {};
 
         "miniflux/admin-credentials" = {};

diff --git a/modules/secrets/mealie/secret-config.age b/modules/secrets/mealie/secret-config.age
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
@@ -22,6 +22,8 @@ in {
 
   "matrix-synapse/secret-config.age".publicKeys = [alarsyo hades];
 
+  "mealie/secret-config.age".publicKeys = [alarsyo hades];
+
   "microbin/secret-config.age".publicKeys = [alarsyo hades];
 
   "miniflux/admin-credentials.age".publicKeys = [alarsyo hades];

diff --git a/services/mealie.nix b/services/mealie.nix
@@ -29,11 +29,23 @@ in {
       example = 8080;
       description = "Internal port for Mealie webapp";
     };
+    credentialsFile = lib.mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      example = "/run/secrets/mealie-credentials.env";
+      description = ''
+        File containing credentials used in mealie such as {env}`POSTGRES_PASSWORD`
+        or sensitive LDAP options.
+
+        Expects the format of an `EnvironmentFile=`, as described by {manpage}`systemd.exec(5)`.
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
     services.mealie = {
       inherit listenAddress;
+      inherit (cfg) credentialsFile;
 
       enable = true;
       package = pkgs.unstable.mealie;