allow specifying access key for backing up private demos

nix/module.nix

@@ -36,6 +36,10 @@ in {
       default = "*:0/10";
       description = "Interval to run the service";
     };
+    keyFile = mkOption {
+      type = types.nullOr types.str;
+      description = "access key file path";
+    };
 
     package = mkOption {
       type = types.package;
@@ -48,15 +52,24 @@ in {
     systemd.services.demostf-backup = {
       description = "Backup demos for demos.tf";
 
-      environment = {
-        STORAGE_ROOT = cfg.target;
-        SOURCE = cfg.api;
-        STATE_FILE = cfg.stateFile;
-        RUST_LOG = cfg.logLevel;
-      };
+      environment =
+        {
+          STORAGE_ROOT = cfg.target;
+          SOURCE = cfg.api;
+          STATE_FILE = cfg.stateFile;
+          RUST_LOG = cfg.logLevel;
+        }
+        // optionalAttrs (cfg.keyFile != null) {
+          ACCESS_KEY_FILE = "$CREDENTIALS_DIRECTORY/api_key";
+        };
 
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/demostf-backup";
+
+        LoadCredential = optionals (cfg.keyFile != null) [
+          "api_key:${cfg.keyFile}"
+        ];
+
         ReadWritePaths = [cfg.target cfg.stateFile];
         Restart = "on-failure";
         User = cfg.user;