From 1fb02bc8f9932996fcc75a9d63c3d719e4a8ec6a Mon Sep 17 00:00:00 2001
From: Jaco Malan <jacomalan.12@gmail.com>
Date: Thu, 3 Jul 2025 08:14:38 +0200
Subject: [PATCH] nixos/monero: add `environmentFile` option

---
 .../manual/release-notes/rl-2511.section.md   |  2 ++
 nixos/modules/services/networking/monero.nix  | 34 ++++++++++++++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/nixos/doc/manual/release-notes/rl-2511.section.md b/nixos/doc/manual/release-notes/rl-2511.section.md
index 26e832045d03..6aeb5980f97a 100644
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@@ -110,6 +110,8 @@
 
 - `services.ntpd-rs` now performs configuration validation.
 
+- `services.monero` now includes the `environmentFile` option for adding secrets to the Monero daemon config.
+
 - `amdgpu` kernel driver overdrive mode can now be enabled by setting [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable) and customized through [hardware.amdgpu.overdrive.ppfeaturemask](#opt-hardware.amdgpu.overdrive.ppfeaturemask).
   This allows for fine-grained control over the GPU's performance and maybe required by overclocking softwares like Corectrl and Lact. These new options replace old options such as {option}`programs.corectrl.gpuOverclock.enable` and {option}`programs.tuxclocker.enableAMD`.
 
diff --git a/nixos/modules/services/networking/monero.nix b/nixos/modules/services/networking/monero.nix
index f059edc1c6f2..bd63ea3806ac 100644
--- a/nixos/modules/services/networking/monero.nix
+++ b/nixos/modules/services/networking/monero.nix
@@ -226,6 +226,30 @@ in
         '';
       };
 
+      environmentFile = lib.mkOption {
+        type = lib.types.nullOr lib.types.path;
+        default = null;
+        example = "/var/lib/monero/monerod.env";
+        description = ''
+          Path to an EnvironmentFile for the monero service as defined in {manpage}`systemd.exec(5)`.
+
+          Secrets may be passed to the service by specifying placeholder variables in the Nix config
+          and setting values in the environment file.
+
+          Example:
+
+          ```
+          # In environment file:
+          MINING_ADDRESS=888tNkZrPN6JsEgekjMnABU4TBzc2Dt29EPAvkRxbANsAnjyPbb3iQ1YBRk1UXcdRsiKc9dhwMVgN5S9cQUiyoogDavup3H
+          ```
+
+          ```
+          # Service config
+          services.monero.mining.address = "$MINING_ADDRESS";
+          ```
+        '';
+      };
+
       extraConfig = lib.mkOption {
         type = lib.types.lines;
         default = "";
@@ -257,10 +281,18 @@ in
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
 
+      preStart = ''
+        umask 077
+        ${pkgs.envsubst}/bin/envsubst \
+          -i ${configFile} \
+          -o ${cfg.dataDir}/monerod.conf
+      '';
+
       serviceConfig = {
         User = "monero";
         Group = "monero";
-        ExecStart = "${lib.getExe' pkgs.monero-cli "monerod"} --config-file=${configFile} --non-interactive";
+        EnvironmentFile = lib.mkIf (cfg.environmentFile != null) [ cfg.environmentFile ];
+        ExecStart = "${lib.getExe' pkgs.monero-cli "monerod"} --config-file=${cfg.dataDir}/monerod.conf --non-interactive";
         Restart = "always";
         SuccessExitStatus = [
           0