From cf546b0bf0ee9ee3e6284dbeb45bcc78a9717329 Mon Sep 17 00:00:00 2001
From: Sarah Brofeldt <sarah@qtr.dk>
Date: Tue, 28 May 2024 08:28:09 +0200
Subject: [PATCH] nixos/devpi-server: fix loading credentials as DynamicUser

(cherry picked from commit 4d4571b20a29a8bf53a2a75ee1da64758b88288a)
---
 nixos/modules/services/misc/devpi-server.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/misc/devpi-server.nix b/nixos/modules/services/misc/devpi-server.nix
index 0234db4bc2c5..92c0c6206c8b 100644
--- a/nixos/modules/services/misc/devpi-server.nix
+++ b/nixos/modules/services/misc/devpi-server.nix
@@ -74,8 +74,9 @@ in
       # have 0600 permissions.
       preStart =
         ''
-          cp ${cfg.secretFile} ${runtimeDir}/${secretsFileName}
-          chmod 0600 ${runtimeDir}/*${secretsFileName}
+          ${optionalString (!isNull cfg.secretFile)
+            "install -Dm 0600 \${CREDENTIALS_DIRECTORY}/devpi-secret ${runtimeDir}/${secretsFileName}"
+          }
 
           if [ -f ${serverDir}/.nodeinfo ]; then
             # already initialized the package index, exit gracefully
@@ -85,6 +86,9 @@ in
         + strings.optionalString cfg.replica "--role=replica --master-url=${cfg.primaryUrl}";
 
       serviceConfig = {
+        LoadCredential = lib.mkIf (! isNull cfg.secretFile) [
+          "devpi-secret:${cfg.secretFile}"
+        ];
         Restart = "always";
         ExecStart =
           let