From 3fcf9cf9bcb35ac4ee8951b2bc21633c632fb71f Mon Sep 17 00:00:00 2001
From: Henri Menke <henri@henrimenke.de>
Date: Sat, 1 May 2021 22:12:45 +0200
Subject: [PATCH] nixos/attestation-server: use systemd credentials

---
 nixos/attestation-server/module.nix | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/nixos/attestation-server/module.nix b/nixos/attestation-server/module.nix
index 0494af9f..8113861e 100644
--- a/nixos/attestation-server/module.nix
+++ b/nixos/attestation-server/module.nix
@@ -111,7 +111,9 @@ in
       wantedBy = [ "multi-user.target" ];
       requires = [ "network-online.target" ];
 
-      serviceConfig = {
+      serviceConfig = (lib.optionalAttrs (cfg.email.passwordFile != null) {
+        LoadCredential = "emailPassword:${cfg.email.passwordFile}";
+      }) // {
         ExecStart = "${cfg.package}/bin/AttestationServer";
         ExecStartPre = let
           inherit (cfg.email) username passwordFile host port local;
@@ -120,7 +122,7 @@ in
           # truncate the trailing newline (\n = char(10)) anyway.
           values = lib.concatStringsSep ", " [
             "('emailUsername', '${username}')"
-            "('emailPassword', TRIM(readfile('%S/attestation/emailPassword'), char(10)))"
+            "('emailPassword', TRIM(readfile('$CREDENTIALS_DIRECTORY/emailPassword'), char(10)))"
             "('emailHost', '${host}')"
             "('emailPort', '${toString port}')"
             "('emailLocal', '${if local then "1" else "0"}')"
@@ -129,12 +131,9 @@ in
           # Note the leading + on the first command. The passwordFile could be
           # anywhere in the file system, so it has to be copied as root and
           # permissions fixed to be accessible by the service.
-          "+${pkgs.coreutils}/bin/install -m 0640 -g keys ${passwordFile} %S/attestation/emailPassword"
           ''${pkgs.sqlite}/bin/sqlite3 %S/attestation/attestation.db "CREATE TABLE IF NOT EXISTS Configuration (key TEXT PRIMARY KEY NOT NULL, value NOT NULL)"''
           ''${pkgs.sqlite}/bin/sqlite3 %S/attestation/attestation.db "INSERT OR REPLACE INTO Configuration VALUES ${values}"''
-          "${pkgs.coreutils}/bin/rm -f %S/attestation/emailPassword"
         ];
-        SupplementaryGroups = [ "keys" ];
 
         # When sending TERM, e.g. for restart, AttestationServer fails with
         # this exit code.