load token from systemd credentials

2026-06-03 14:24:08 +02:00 · 2024-03-02 21:35:18 +01:00 · 2024-03-02 21:35:18 +01:00 · 528b1721ba
commit 528b1721ba
parent add6c01829
4 changed files with 22 additions and 12 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -647,6 +647,15 @@ dependencies = [
 "untrusted",
 ]

+[[package]]
+name = "secretfile"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "746c54b939ab8d393b536765393c0bd7634fca94eed62321ec3e3559293f6c21"
+dependencies = [
+ "thiserror",
+]
+
 [[package]]
 name = "security-framework"
 version = "2.9.2"
@ -778,6 +787,7 @@ dependencies = [
 "clap",
 "hex_fmt",
 "md-5",
+ "secretfile",
 "serde",
 "tasmota-mqtt-client",
 "tokio",
@ -807,18 +817,18 @@ dependencies = [

 [[package]]
 name = "thiserror"
-version = "1.0.56"
+version = "1.0.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d54378c645627613241d077a3a79db965db602882668f9136ac42af9ecb730ad"
+checksum = "1e45bcbe8ed29775f228095caf2cd67af7a4ccf756ebff23a306bf3e8b47b24b"
 dependencies = [
 "thiserror-impl",
 ]

 [[package]]
 name = "thiserror-impl"
-version = "1.0.56"
+version = "1.0.57"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fa0faa943b50f3db30a20aa7e265dbc66076993efed8463e8de414e5d06d3471"
+checksum = "a953cb265bef375dae3de6663da4d3804eee9682ea80d8e2542529b73c531c81"
 dependencies = [
 "proc-macro2",
 "quote",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -16,3 +16,4 @@ md-5 = "0.10.6"
 tracing = "0.1.40"
 tracing-subscriber = "0.3.18"
 hex_fmt = "0.3.0"
+secretfile = "0.1.0"
--- a/module.nix
+++ b/module.nix
@ -10,7 +10,7 @@ with lib; let
    output.target = cfg.outputPath;
    mqtt = {
      inherit (cfg.mqtt) hostname port username;
-      "password-file" = cfg.mqtt.passwordFile;
+      "password-file" = "$CREDENTIALS_DIRECTORY/mqtt_password";
    };
    device."password-file" = cfg.devicePasswordFile;
  };
@ -73,6 +73,9 @@ in {

      serviceConfig = {
        ExecStart = "${cfg.package}/bin/tasmota-backup ${configFile}";
+        LoadCredential = [
+          "mqtt_password:${cfg.mqtt.passwordFile}"
+        ];
        ReadWritePaths = [cfg.outputPath];
        Restart = "on-failure";
        DynamicUser = true;
--- a/src/config.rs
+++ b/src/config.rs
@ -1,4 +1,5 @@
 use anyhow::{Context, Result};
+use secretfile::load;
 use serde::Deserialize;
 use std::fs::read_to_string;
 use std::path::{Path, PathBuf};
@ -85,12 +86,7 @@ impl PasswordConfig {
    pub fn get(&self) -> Result<String> {
        match self {
            PasswordConfig::Raw { password } => Ok(password.clone()),
-            PasswordConfig::File { password_file } => {
-                let mut content = read_to_string(password_file)
-                    .with_context(|| format!("Failed to read password from {password_file}"))?;
-                content.truncate(content.trim_end().len());
-                Ok(content)
-            }
+            PasswordConfig::File { password_file } => Ok(load(password_file)?),
        }
    }
 }