nixos/victoriametrics: Add ability to pass basicAuthPasswordFile

NixOS · Jan 4, 2025 · 1b51a68 · 1b51a68
1 parent cb8c948
commit 1b51a68
Showing 1 changed file with 22 additions and 2 deletions.
diff --git a/nixos/modules/services/databases/victoriametrics.nix b/nixos/modules/services/databases/victoriametrics.nix
@@ -71,6 +71,22 @@ in
       '';
     };
 
+    basicAuthUsername = lib.mkOption {
+      default = null;
+      type = lib.types.nullOr lib.types.str;
+      description = ''
+        Basic Auth username used to protect VictoriaMetrics instance by authorization
+      '';
+    };
+
+    basicAuthPasswordFile = lib.mkOption {
+      default = null;
+      type = lib.types.nullOr lib.types.str;
+      description = ''
+        File that contains the Basic Auth password used to protect VictoriaMetrics instance by authorization
+      '';
+    };
+
     prometheusConfig = lib.mkOption {
       type = lib.types.submodule { freeformType = settingsFormat.type; };
       default = { };
@@ -116,8 +132,6 @@ in
       default = [ ];
       example = literalExpression ''
         [
-          "-httpAuth.username=username"
-          "-httpAuth.password=file:///abs/path/to/file"
           "-loggerLevel=WARN"
         ]
       '';
@@ -140,9 +154,15 @@ in
         ExecStart = lib.escapeShellArgs (
           startCLIList
           ++ lib.optionals (cfg.prometheusConfig != { }) [ "-promscrape.config=${prometheusConfigYml}" ]
+          ++ lib.optional (cfg.basicAuthUsername != null) "-httpAuth.username=${cfg.basicAuthUsername}"
+          ++ lib.optional (cfg.basicAuthPasswordFile != null) "-httpAuth.password=file://\${CREDENTIALS_DIRECTORY}/basic_auth_password"
         );
 
         DynamicUser = true;
+        LoadCredential = lib.optional (cfg.basicAuthPasswordFile != null) [
+          "basic_auth_password:${cfg.basicAuthPasswordFile}"
+        ];
+
         RestartSec = 1;
         Restart = "on-failure";
         RuntimeDirectory = "victoriametrics";