diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix index 7fc145f2303d..390f0ddaee83 100644 --- a/nixos/modules/services/networking/nix-serve.nix +++ b/nixos/modules/services/networking/nix-serve.nix @@ -37,8 +37,6 @@ in nix-store --generate-binary-cache-key key-name secret-key-file public-key-file ``` - Make sure user `nix-serve` has read access to the private key file. - For more details see nix-store1. ''; }; @@ -61,16 +59,22 @@ in path = [ config.nix.package.out pkgs.bzip2.bin ]; environment.NIX_REMOTE = "daemon"; - environment.NIX_SECRET_KEY_FILE = cfg.secretKeyFile; + + script = '' + ${lib.optionalString (cfg.secretKeyFile != null) '' + export NIX_SECRET_KEY_FILE="$CREDENTIALS_DIRECTORY/NIX_SECRET_KEY_FILE" + ''} + exec ${pkgs.nix-serve}/bin/nix-serve --listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams} + ''; serviceConfig = { Restart = "always"; RestartSec = "5s"; - ExecStart = "${pkgs.nix-serve}/bin/nix-serve " + - "--listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}"; User = "nix-serve"; Group = "nix-serve"; DynamicUser = true; + LoadCredential = lib.optionalString (cfg.secretKeyFile != null) + "NIX_SECRET_KEY_FILE:${cfg.secretKeyFile}"; }; }; };