services.xray: pass the settings file with systemd loadCredential

It enables passing a sops-nix secret as a `settingsFile` @see Mic92/sops-nix#198. By default sops-nix secrets are accessible by only root. We can change owner to another user, but the xray service is defined with `dynamicUser=true`, which means, there is no user in the compile time. Systemd `loadCredential` passes the secret file to the service, which is exactly what we need here.
shofel · Dec 28, 2024 · 837315c · 837315c
1 parent 3f4d074
commit 837315c
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/nixos/modules/services/networking/xray.nix b/nixos/modules/services/networking/xray.nix
@@ -80,9 +80,13 @@ with lib;
       description = "xray Daemon";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
+      script = ''
+        cd $CREDENTIALS_DIRECTORY
+        exec "${cfg.package}/bin/xray" -config config.json
+      '';
       serviceConfig = {
         DynamicUser = true;
-        ExecStart = "${cfg.package}/bin/xray -config ${settingsFile}";
+        LoadCredential = "config.json:${settingsFile}";
         CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
         AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
         NoNewPrivileges = true;