services.xray: pass the settings file with systemd loadCredential

It enables passing a sops-nix secret as a `settingsFile` @see Mic92/sops-nix#198. By default sops-nix secrets are accessible by only root. We can change owner to another user, but the xray service is defined with `dynamicUser=true`, which means, there is no user in the compile time. Systemd `loadCredential` passes the secret file to the service, which is exactly what we need here.
shofel · Dec 28, 2024 · cfe1c8e · cfe1c8e
1 parent 3f4d074
commit cfe1c8e
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/nixos/modules/services/networking/xray.nix b/nixos/modules/services/networking/xray.nix
@@ -5,7 +5,7 @@ with lib;
 {
   options = {
 
-    services.xray = {
+    services.xray' = {
       enable = mkOption {
         type = types.bool;
         default = false;
@@ -52,12 +52,14 @@ with lib;
           See <https://www.v2fly.org/en_US/config/overview.html>.
         '';
       };
+
+
     };
 
   };
 
   config = let
-    cfg = config.services.xray;
+    cfg = config.services.xray';
     settingsFile = if cfg.settingsFile != null
       then cfg.settingsFile
       else pkgs.writeTextFile {
@@ -80,9 +82,13 @@ with lib;
       description = "xray Daemon";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
+      script = ''
+        cd $CREDENTIALS_DIRECTORY
+        exec "${cfg.package}/bin/xray" -config config.json
+      '';
       serviceConfig = {
         DynamicUser = true;
-        ExecStart = "${cfg.package}/bin/xray -config ${settingsFile}";
+        LoadCredential = "config.json:${settingsFile}";
         CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
         AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
         NoNewPrivileges = true;