nixos/scrutiny: use genJqSecretsReplacementSnippet

nixos/modules/services/monitoring/scrutiny.nix

@@ -1,10 +1,11 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, utils, ... }:
 let
   inherit (lib) maintainers;
   inherit (lib.meta) getExe;
   inherit (lib.modules) mkIf mkMerge;
   inherit (lib.options) literalExpression mkEnableOption mkOption mkPackageOption;
   inherit (lib.types) bool enum nullOr port str submodule;
+  inherit (utils) genJqSecretsReplacementSnippet;
 
   cfg = config.services.scrutiny;
   # Define the settings format used for this program
@@ -36,6 +37,11 @@ in
           Scrutiny settings to be rendered into the configuration file.
 
           See <https://github.com/AnalogJ/scrutiny/blob/master/example.scrutiny.yaml>.
+
+          Options containing secret data should be set to an attribute set
+          containing the attribute `_secret`. This attribute should be a string
+          or structured JSON with `quote = false;`, pointing to a file that
+          contains the value the option should be set to.
         '';
         default = { };
         type = submodule {
@@ -130,6 +136,11 @@ in
             Collector settings to be rendered into the collector configuration file.
 
             See <https://github.com/AnalogJ/scrutiny/blob/master/example.collector.yaml>.
+
+            Options containing secret data should be set to an attribute set
+            containing the attribute `_secret`. This attribute should be a string
+            or structured JSON with `quote = false;`, pointing to a file that
+            contains the value the option should be set to.
           '';
           default = { };
           type = submodule {
@@ -177,6 +188,9 @@ in
           SCRUTINY_WEB_DATABASE_LOCATION = "/var/lib/scrutiny/scrutiny.db";
           SCRUTINY_WEB_SRC_FRONTEND_PATH = "${cfg.package}/share/scrutiny";
         };
+        preStart = ''
+          ${genJqSecretsReplacementSnippet cfg.settings "/run/scrutiny/config.yaml"}
+        '';
         postStart = ''
           for i in $(seq 300); do
               if "${lib.getExe pkgs.curl}" --fail --silent --head "http://${cfg.settings.web.listen.host}:${toString cfg.settings.web.listen.port}" >/dev/null; then
@@ -191,8 +205,10 @@ in
         '';
         serviceConfig = {
           DynamicUser = true;
-          ExecStart = "${getExe cfg.package} start --config ${settingsFormat.generate "scrutiny.yaml" cfg.settings}";
+          ExecStart = "${getExe cfg.package} start --config /run/scrutiny/config.yaml";
           Restart = "always";
+          RuntimeDirectory = "scrutiny";
+          RuntimeDirectoryMode = "0700";
           StateDirectory = "scrutiny";
           StateDirectoryMode = "0750";
         };
@@ -216,9 +232,14 @@ in
             COLLECTOR_VERSION = "1";
             COLLECTOR_API_ENDPOINT = cfg.collector.settings.api.endpoint;
           };
+          preStart = ''
+            ${genJqSecretsReplacementSnippet cfg.collector.settings "/run/scrutiny-collector/config.yaml"}
+          '';
           serviceConfig = {
             Type = "oneshot";
-            ExecStart = "${getExe cfg.collector.package} run --config ${settingsFormat.generate "scrutiny-collector.yaml" cfg.collector.settings}";
+            ExecStart = "${getExe cfg.collector.package} run --config /run/scrutiny-collector/config.yaml";
+            RuntimeDirectory = "scrutiny-collector";
+            RuntimeDirectoryMode = "0700";
           };
           startAt = cfg.collector.schedule;
         };