Open tbaumann opened 4 months ago
For anyone looking for a workaround
services.openvpn.servers = {
foobar = {
config = ''
config ${config.age.secrets.foobar-ovpn.path}
auth-user-pass ${config.age.secrets.foobar-auth-user-pass.path}
'';
updateResolvConf = false;
# up = "${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved";
# down = "${pkgs.update-systemd-resolved}/libexec/openvpn/update-systemd-resolved";
};
};
# uncomment above if you can't use this because you don't have the update-systemd-resolved flake
programs.update-systemd-resolved.servers.cbxnet.includeAutomatically = true;
sub-issue as you can see above. openvpn doesn't use update-systemd-resolved when updateResolvConf
is used. Which I think is default in nixos, or at least very common.
is very useful. But it's also quite a bad pattern because it exposes the password in clear in the config and nix store.
Most Nixos users use agenix for the purpose. But using strings is still a total antipattern and not compatible with agenix best practices.
It would be best if
services.openvpn.servers.<name>.authUserPass
could also be of type path pointing to a local file (outside of nix store!) that is used at runtime.bad
good
Expected behavior
Allow paths for
authUserPass
.Notify maintainers
@viric @peterhoeg
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result.Add a :+1: reaction to issues you find important.