diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
index 736d954d2b88c8..b730d591868fd6 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
@@ -121,6 +121,13 @@
package.
+
+
+ Resilio sync secret keys can now be provided using a secrets
+ file at runtime, preventing these secrets from ending up in
+ the Nix store.
+
+
diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md
index 19308393390441..f8526e78c84f63 100644
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@@ -48,3 +48,5 @@ In addition to numerous new and upgraded packages, this release has the followin
- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules)
- A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm).
+
+- Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.
diff --git a/nixos/modules/services/networking/resilio.nix b/nixos/modules/services/networking/resilio.nix
index d21f108024e511..5a861dd874cbcd 100644
--- a/nixos/modules/services/networking/resilio.nix
+++ b/nixos/modules/services/networking/resilio.nix
@@ -8,7 +8,6 @@ let
resilioSync = pkgs.resilio-sync;
sharedFoldersRecord = map (entry: {
- secret = entry.secret;
dir = entry.directory;
use_relay_server = entry.useRelayServer;
@@ -40,6 +39,31 @@ let
shared_folders = sharedFoldersRecord;
}));
+ sharedFoldersSecretFiles = map (entry: {
+ dir = entry.directory;
+ secretFile = if builtins.hasAttr "secret" entry then
+ toString (pkgs.writeTextFile {
+ name = "secret-file";
+ text = entry.secret;
+ })
+ else
+ entry.secretFile;
+ }) cfg.sharedFolders;
+
+ runConfigPath = "/run/rslsync/config.json";
+
+ createConfig = pkgs.writeShellScriptBin "create-resilio-config" ''
+ ${pkgs.jq}/bin/jq \
+ '.shared_folders |= map(.secret = $ARGS.named[.dir])' \
+ ${
+ lib.concatMapStringsSep " \\\n "
+ (entry: ''--arg '${entry.dir}' "$(cat '${entry.secretFile}')"'')
+ sharedFoldersSecretFiles
+ } \
+ <${configFile} \
+ >${runConfigPath}
+ '';
+
in
{
options = {
@@ -186,7 +210,7 @@ in
default = [];
type = types.listOf (types.attrsOf types.anything);
example =
- [ { secret = "AHMYFPCQAHBM7LQPFXQ7WV6Y42IGUXJ5Y";
+ [ { secretFile = "/run/resilio-secret";
directory = "/home/user/sync_test";
useRelayServer = true;
useTracker = true;
@@ -202,9 +226,6 @@ in
description = lib.mdDoc ''
Shared folder list. If enabled, web UI must be
disabled. Secrets can be generated using `rslsync --generate-secret`.
- Note that this secret will be
- put inside the Nix store, so it is realistically not very
- secret.
If you would like to be able to modify the contents of this
directories, it is recommended that you make your user a
@@ -256,8 +277,10 @@ in
Restart = "on-abort";
UMask = "0002";
User = "rslsync";
+ RuntimeDirectory = "rslsync";
+ ExecStartPre = "${createConfig}/bin/create-resilio-config";
ExecStart = ''
- ${resilioSync}/bin/rslsync --nodaemon --config ${configFile}
+ ${resilioSync}/bin/rslsync --nodaemon --config ${runConfigPath}
'';
};
};