nixos/dendrite: add an option loadCredential

[jian-lin]

Description of changes

systemd-247 provides a mechanism called LoadCredential for secrets and
it is better than environment file. See the section of Environment=
in the manual of systemd.exec for more information.

Some options in config.yaml need values to be strings, which currently
can be used with environmentFile but not loadCredential. But it's
possible to use loadCredential for those options, e.g. we can
substitute their values in ExecStart, but not in ExecStartPre due to
1.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.05 Release Notes (or backporting 21.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[mjlbach]

The change LGTM, I wanted to do this but there were issues at the time with systemd 247 (start reading here if interested in the context)

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/780

[jian-lin]

/marvin opt-in
/status needs_reviewer

[marvin-mk2]

Hi! I'm an experimental bot. My goal is to guide this PR through its stages, hopefully ending with a merge. You can read up on the usage here.

[marvin-mk2]

Reminder: Please review!

This Pull Request is awaiting review. If you are the assigned reviewer, please have a look. Try to find another reviewer if necessary. If you can't, please say so. If the status is not accurate, please change it. If nothing happens, this PR will be should be put back in the needs_reviewer queue in one day.

---

Note: This feature is currently broken. The bot will not actually change the status. If you see this message multiple times, please request a status change manually.

[jian-lin]

/status needs_reviewer

[marvin-mk2]

Reminder: Please review!

This Pull Request is awaiting review. If you are the assigned reviewer, please have a look. Try to find another reviewer if necessary. If you can't, please say so. If the status is not accurate, please change it. If nothing happens, this PR will be should be put back in the needs_reviewer queue in one day.

---

Note: This feature is currently broken. The bot will not actually change the status. If you see this message multiple times, please request a status change manually.

[chuangzhu]

I don't think deprecating environmentFile is a good idea. LoadCredential just loads a file to a secret directory so services with DynamicUser enabled can read it without permission issue. It cannot substitute secrets in the config file. The client_api.registration_shared_secret option cannot currently be passed in another file. If you want to connect a remote PostgreSQL database. you will need to pass the password in *.database.connection_string in a way like postgresql://user:password@hostname/database.

I agree with adding the loadCredential option, but I don't think it is a replacement for environmentFile.

[dotlambda]

We should use the new option in the test.

[jian-lin]

I don't think deprecating environmentFile is a good idea. LoadCredential just loads a file to a secret directory so services with DynamicUser enabled can read it without permission issue. It cannot substitute secrets in the config file. The client_api.registration_shared_secret option cannot currently be passed in another file. If you want to connect a remote PostgreSQL database. you will need to pass the password in *.database.connection_string in a way like postgresql://user:password@hostname/database.

I agree with adding the loadCredential option, but I don't think it is a replacement for environmentFile.

You are right. Some options in the config.yaml need to be string instead of path. They cannot be substituted using our current module. I missed that.

Using LoadCredential for those options is still possible, e.g. we can substitute secrets in ExecStart phase, but not in ExecStartPre due to systemd/systemd#19604 . I personally don't use those options, so I'll leave it for someone to make another PR.

[jian-lin]

Thanks for the review. Changes have been made.

[jian-lin]

Can we merge this since changes have been made as required? @dotlambda @SuperSandro2000

[jian-lin]

I don't use dendrite anymore.

[dotlambda]

I missed this, sorry.

[dotlambda]

I think we should still merge this because it's necessary for anyone who does use dendrite.
cc @tim-tx

[jian-lin]

I think we should still merge this because it's necessary for anyone who does use dendrite.

Well, it's not necessary, just an improvement of UX.

Anyway, I will be happy if it gets merged.

[dotlambda]

@ofborg test dendrite

[github-actions]

Successfully created backport PR #175356 for release-22.05.