From c624183e4e31ba9d96a77449fbd861001a916ad4 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Fri, 17 Jan 2025 17:09:53 +0100
Subject: [PATCH] hades: secret config for mealie

---
 hosts/hades/default.nix                  |   1 +
 hosts/hades/secrets.nix                  |   4 ++++
 modules/secrets/mealie/secret-config.age | Bin 0 -> 483 bytes
 modules/secrets/secrets.nix              |   2 ++
 services/mealie.nix                      |  12 ++++++++++++
 5 files changed, 19 insertions(+)
 create mode 100644 modules/secrets/mealie/secret-config.age

diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix
index f2a4158..2b84d21 100644
--- a/hosts/hades/default.nix
+++ b/hosts/hades/default.nix
@@ -84,6 +84,7 @@ in {
     mealie = {
       enable = true;
       port = 8090;
+      credentialsFile = config.age.secrets."mealie/secret-config".path;
     };
 
     microbin = {
diff --git a/hosts/hades/secrets.nix b/hosts/hades/secrets.nix
index a5df603..d0887e2 100644
--- a/hosts/hades/secrets.nix
+++ b/hosts/hades/secrets.nix
@@ -22,6 +22,10 @@
           owner = "matrix-synapse";
         };
 
+        "mealie/secret-config" = {
+          owner = "mealie";
+        };
+
         "microbin/secret-config" = {};
 
         "miniflux/admin-credentials" = {};
diff --git a/modules/secrets/mealie/secret-config.age b/modules/secrets/mealie/secret-config.age
new file mode 100644
index 0000000000000000000000000000000000000000..cd0288476ea7b2346e498f3aa01498a4079f9c23
GIT binary patch
literal 483
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7HcI!%DpxQyb+jxu
z@isQgcQi^fitsBk4hb^w$Tl|%aL-Ti39Hmj&51Ox)GqSQGT|~Zu?+SocT5cnGto{j
zD+%#8%#Ct0@pLNpC<se5cdxW8Pp!;OH_ZwND@M1iAi|>3C|#i{!ztCjz$D4Qs~|Vi
z#l@ny$jLRzvN*iZJJH#>Fv-Hv(8E2-qbfN!Bbh71HzQL!G1V_A#KXn6T;I9OIM*>E
zBQdck&#)@2$S=$*E8kP!EVslX#DGgzS687jC@mnM(yiP`-`p#uFrwJ4B+0ip&BQFk
z-NiC5BFi{2H$2cOG$S&#!j<cwO2Lkj;t$4u*j4W}{WlK#bHd}d)`mJi`%;J0Wd}bb
zbLgl}|8+6$^<uLbGcUU5hu>#jC!4ibRlhy{!J3XqMXNe@OS~{I_E1osy#4WBT@~MJ
z+tV7SH2jG1)z*1dxQyveu`2(Kj@z7EH(eM)=l}FNwTD5Wt4SuxYw@JJvzFev@8{_A
z@%}?0&pt)R7wiA<9z7qR9yCq1TjhSnly%DvOEElaPkg<*DD>ytU7w^p_?8QubJ*Ow
T^=IhhE4yd$MjUu$G}##dEzG?f

literal 0
HcmV?d00001

diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 452effa..c918355 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -22,6 +22,8 @@ in {
 
   "matrix-synapse/secret-config.age".publicKeys = [alarsyo hades];
 
+  "mealie/secret-config.age".publicKeys = [alarsyo hades];
+
   "microbin/secret-config.age".publicKeys = [alarsyo hades];
 
   "miniflux/admin-credentials.age".publicKeys = [alarsyo hades];
diff --git a/services/mealie.nix b/services/mealie.nix
index 61baefe..0be80e3 100644
--- a/services/mealie.nix
+++ b/services/mealie.nix
@@ -29,11 +29,23 @@ in {
       example = 8080;
       description = "Internal port for Mealie webapp";
     };
+    credentialsFile = lib.mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      example = "/run/secrets/mealie-credentials.env";
+      description = ''
+        File containing credentials used in mealie such as {env}`POSTGRES_PASSWORD`
+        or sensitive LDAP options.
+
+        Expects the format of an `EnvironmentFile=`, as described by {manpage}`systemd.exec(5)`.
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
     services.mealie = {
       inherit listenAddress;
+      inherit (cfg) credentialsFile;
 
       enable = true;
       package = pkgs.unstable.mealie;