Instead of hard-coding a single `configFile` for
`privacyidea-ldap-proxy.service` which is pretty unmergable with other
declarations it now uses a RFC42-like approach. Also to make sure that
secrets can be handled properly without ending up in the Nix store, it's
possible to inject secrets via envsubst
{
services.privacyidea.ldap-proxy = {
enable = true;
environmentFile = "/run/secrets/ldap-pw";
settings = {
privacyidea.instance = "privacyidea.example.org";
service-account = {
dn = "uid=readonly,ou=serviceaccounts,dc=example,dc=org";
password = "$LDAP_PW";
};
};
};
}
and the following secret file (at `/run/secrets`):
LDAP_PW=<super-secret ldap pw>
For backwards-compat the old `configFile`-option is kept, but it throws
a deprecation warning and is mutually exclusive with the
`settings`-attrset. Also, it doesn't support secrets injection with
`envsubst` & `environmentFile`.