diff --git a/flake.nix b/flake.nix index 7cd81bb..c9f15a8 100644 --- a/flake.nix +++ b/flake.nix @@ -87,8 +87,13 @@ type = lib.types.submodule { options = { enable = lib.options.mkEnableOption "Restic"; + passwordFile = lib.options.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; password = lib.options.mkOption { - type = lib.types.str; + type = lib.types.nullOr lib.types.str; + default = null; }; storage = lib.options.mkOption { type = lib.types.enum [ @@ -187,11 +192,22 @@ }.${cfg.storage}; in lib.mkIf cfg.enable { + assertions = [ + { + assertion = cfg.passwordFile != null and cfg.password != null; + message = "Must specifiy either passwordFile or password"; + } + ]; + warnings = + if cfg.password != null then [ + ''Restic encryption password will be stored world readable in the Nix store.'' + ] else [ ]; + environment.systemPackages = [ package ]; - environment.etc."restic/password" = { + environment.etc."restic/password" = lib.mkIf cfg.password != null { text = cfg.password; user = "root"; group = "root"; @@ -230,7 +246,7 @@ text = '' ${hcConfig} RESTIC_CACHE_DIR=/var/cache/restic - RESTIC_PASSWORD_FILE=/etc/restic/password + RESTIC_PASSWORD_FILE=${if cfg.passwordFile != null then cfg.passwordFile else "/etc/restic/password"} RESTIC_REPOSITORY=${repositoryConfig} ${storageConfig} '';