diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix
index 70afbe0433ae..039c9737b1f4 100644
--- a/nixos/modules/services/misc/sssd.nix
+++ b/nixos/modules/services/misc/sssd.nix
@@ -3,6 +3,10 @@ with lib;
let
cfg = config.services.sssd;
nscd = config.services.nscd;
+
+ dataDir = "/var/lib/sssd";
+ settingsFile = "${dataDir}/sssd.conf";
+ settingsFileUnsubstituted = pkgs.writeText "${dataDir}/sssd-unsubsituted.conf" cfg.config;
in {
options = {
services.sssd = {
@@ -47,6 +51,30 @@ in {
Kerberos will be configured to cache credentials in SSS.
'';
};
+ environmentFile = mkOption {
+ type = types.nullOr types.path;
+ default = null;
+ description = ''
+ Environment file as defined in
+ systemd.exec5
+ .
+
+ Secrets may be passed to the service without adding them to the world-readable
+ Nix store, by specifying placeholder variables as the option value in Nix and
+ setting these variables accordingly in the environment file.
+
+
+ # snippet of sssd-related config
+ [domain/LDAP]
+ ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
+
+
+
+ # contents of the environment file
+ SSSD_LDAP_DEFAULT_AUTHTOK=verysecretpassword
+
+ '';
+ };
};
};
config = mkMerge [
@@ -60,22 +88,28 @@ in {
wants = [ "nss-user-lookup.target" ];
restartTriggers = [
config.environment.etc."nscd.conf".source
- config.environment.etc."sssd/sssd.conf".source
+ settingsFileUnsubstituted
];
script = ''
export LDB_MODULES_PATH+="''${LDB_MODULES_PATH+:}${pkgs.ldb}/modules/ldb:${pkgs.sssd}/modules/ldb"
mkdir -p /var/lib/sss/{pubconf,db,mc,pipes,gpo_cache,secrets} /var/lib/sss/pipes/private /var/lib/sss/pubconf/krb5.include.d
- ${pkgs.sssd}/bin/sssd -D
+ ${pkgs.sssd}/bin/sssd -D -c ${settingsFile}
'';
serviceConfig = {
Type = "forking";
PIDFile = "/run/sssd.pid";
+ StateDirectory = baseNameOf dataDir;
+ EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
};
- };
-
- environment.etc."sssd/sssd.conf" = {
- text = cfg.config;
- mode = "0400";
+ preStart = ''
+ [ -f ${settingsFile} ] && rm -f ${settingsFile}
+ old_umask=$(umask)
+ umask 0177
+ ${pkgs.envsubst}/bin/envsubst \
+ -o ${settingsFile} \
+ -i ${settingsFileUnsubstituted}
+ umask $old_umask
+ '';
};
system.nssModules = [ pkgs.sssd ];