nixos/monero: add environmentFile option (#421759)

2025-07-06 14:02:49 +02:00 · 2025-07-06 14:02:49 +02:00 · 7a473d6701
commit 7a473d6701
parent 76e420b2f1 1fb02bc8f9
2 changed files with 35 additions and 1 deletions
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@ -110,6 +110,8 @@

 - `services.ntpd-rs` now performs configuration validation.

+- `services.monero` now includes the `environmentFile` option for adding secrets to the Monero daemon config.
+
 - `amdgpu` kernel driver overdrive mode can now be enabled by setting [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable) and customized through [hardware.amdgpu.overdrive.ppfeaturemask](#opt-hardware.amdgpu.overdrive.ppfeaturemask).
  This allows for fine-grained control over the GPU's performance and maybe required by overclocking softwares like Corectrl and Lact. These new options replace old options such as {option}`programs.corectrl.gpuOverclock.enable` and {option}`programs.tuxclocker.enableAMD`.

--- a/nixos/modules/services/networking/monero.nix
+++ b/nixos/modules/services/networking/monero.nix
@ -226,6 +226,30 @@ in
        '';
      };

+      environmentFile = lib.mkOption {
+        type = lib.types.nullOr lib.types.path;
+        default = null;
+        example = "/var/lib/monero/monerod.env";
+        description = ''
+          Path to an EnvironmentFile for the monero service as defined in {manpage}`systemd.exec(5)`.
+
+          Secrets may be passed to the service by specifying placeholder variables in the Nix config
+          and setting values in the environment file.
+
+          Example:
+
+          ```
+          # In environment file:
+          MINING_ADDRESS=888tNkZrPN6JsEgekjMnABU4TBzc2Dt29EPAvkRxbANsAnjyPbb3iQ1YBRk1UXcdRsiKc9dhwMVgN5S9cQUiyoogDavup3H
+          ```
+
+          ```
+          # Service config
+          services.monero.mining.address = "$MINING_ADDRESS";
+          ```
+        '';
+      };
+
      extraConfig = lib.mkOption {
        type = lib.types.lines;
        default = "";
@ -257,10 +281,18 @@ in
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

+      preStart = ''
+        umask 077
+        ${pkgs.envsubst}/bin/envsubst \
+          -i ${configFile} \
+          -o ${cfg.dataDir}/monerod.conf
+      '';
+
      serviceConfig = {
        User = "monero";
        Group = "monero";
-        ExecStart = "${lib.getExe' pkgs.monero-cli "monerod"} --config-file=${configFile} --non-interactive";
+        EnvironmentFile = lib.mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
+        ExecStart = "${lib.getExe' pkgs.monero-cli "monerod"} --config-file=${cfg.dataDir}/monerod.conf --non-interactive";
        Restart = "always";
        SuccessExitStatus = [
          0