From 837315ceffd4b8fee77d6956d7eaa0b1038a28a1 Mon Sep 17 00:00:00 2001 From: Slava Date: Sat, 28 Dec 2024 14:20:43 +0500 Subject: [PATCH] services.xray: pass the settings file with systemd loadCredential It enables passing a sops-nix secret as a `settingsFile` @see https://github.com/Mic92/sops-nix/issues/198. By default sops-nix secrets are accessible by only root. We can change owner to another user, but the xray service is defined with `dynamicUser=true`, which means, there is no user in the compile time. Systemd `loadCredential` passes the secret file to the service, which is exactly what we need here. --- nixos/modules/services/networking/xray.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/xray.nix b/nixos/modules/services/networking/xray.nix index 40a154d8d030b..18c8e3121bd40 100644 --- a/nixos/modules/services/networking/xray.nix +++ b/nixos/modules/services/networking/xray.nix @@ -80,9 +80,13 @@ with lib; description = "xray Daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + script = '' + cd $CREDENTIALS_DIRECTORY + exec "${cfg.package}/bin/xray" -config config.json + ''; serviceConfig = { DynamicUser = true; - ExecStart = "${cfg.package}/bin/xray -config ${settingsFile}"; + LoadCredential = "config.json:${settingsFile}"; CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE"; NoNewPrivileges = true;