};
config = lib.mkIf cfg.enable {
+ mySecrets.keys = etherpad.keys;
systemd.services.etherpad-lite = {
description = "Etherpad-lite";
wantedBy = [ "multi-user.target" ];
script = ''
exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
- --settings ${etherpad.config}
+ --settings /var/secrets/webapps/tools-etherpad
'';
serviceConfig = {
DynamicUser = true;
User = "etherpad-lite";
Group = "etherpad-lite";
+ SupplementaryGroups = "keys";
WorkingDirectory = etherpad.webappDir;
PrivateTmp = true;
NoNewPrivileges = true;
Restart = "always";
Type = "simple";
TimeoutSec = 60;
+ ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey";
};
};