From b4df6da21250de5f724224f4cb06d8a071c59420 Mon Sep 17 00:00:00 2001
From: Guillaume Girol <symphorien+git@xlumurb.eu>
Date: Fri, 27 May 2022 12:00:00 +0000
Subject: [PATCH] nixos/acme: use types.secretFile for credential files

---
 nixos/modules/security/acme/default.nix | 2 +-
 nixos/tests/acme.nix                    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix
index d827c448055b76..3ffc3d83391d1d 100644
--- a/nixos/modules/security/acme/default.nix
+++ b/nixos/modules/security/acme/default.nix
@@ -554,7 +554,7 @@ let
       };
 
       credentialsFile = mkOption {
-        type = types.path;
+        type = types.secretFile;
         inherit (defaultAndText "credentialsFile" null) default defaultText;
         description = ''
           Path to an EnvironmentFile for the cert's service containing any required and
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
index 2dd06a50f40ba1..4eed474fbfad94 100644
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@@ -18,12 +18,12 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: let
   dnsConfig = nodes: {
     dnsProvider = "exec";
     dnsPropagationCheck = false;
-    credentialsFile = pkgs.writeText "wildcard.env" ''
+    credentialsFile = lib.types.secretFile.makeWorldReadable (pkgs.writeText "wildcard.env" ''
       EXEC_PATH=${dnsScript nodes}
       EXEC_POLLING_INTERVAL=1
       EXEC_PROPAGATION_TIMEOUT=1
       EXEC_SEQUENCE_INTERVAL=1
-    '';
+    '');
   };
 
   documentRoot = pkgs.runCommand "docroot" {} ''