`ATTIC_SERVER_DATABASE_URL` is ignored when using from flake

[ajgon]

So, my use case is basically to avoid exposing a secret (postgres password) anywhere in repository or nix store. To do so, I'm leveraging sops-nix files with secrets. Here is the part of my config:

{ config, ... }:
{
  sops = {
    secrets = {
      "attic/server/credentials" = {
        restartUnits = [ "atticd.service" ];
      };
    };
  };

  services.atticd = {
    enable = true;

    credentialsFile = config.sops.secrets."attic/server/credentials".path;

    settings = ... my settings ...
  };
}

and in sops attic/server/credentials:

ATTIC_SERVER_DATABASE_URL="postgresql://postgres:<password which I want to keep secret>@localhost:5432/attic"
ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="..."
AWS_ACCESS_KEY_ID="..."
AWS_SECRET_ACCESS_KEY="..."

So far so good, credentials file is generated properly and loaded as environment file. But atticd still uses sqlite as it's DB. My assumption is, because nix sets a default in settings here: https://github.com/zhaofengli/attic/blob/main/nixos/atticd.nix#L174 and env var has lower priority.

As a workaround I tried to use configFile and pass full config from sops there, but because checkedConfigFile evaluates too early, the sops secret is not there yet.

Is there any way, to pass postgres password without exposing it? Also I think that env being effectively ignore, is a bug, and should be taking priority if set.

[ajgon]

Ok, there "is" workaround, by using sqlx env vars as described here: https://docs.rs/sqlx/latest/sqlx/postgres/struct.PgConnectOptions.html#impl-PgConnectOptions .

So by setting:

{
  services.atticd.database.url = "postgresql://postgres@localhost:5432/attic";
}

and then adding PGPASSWORD=mypostgrespassword to credentials file, I managed to make it work. Still I think, it's a hack, and not a proper solution of the problem :)

[DaRacci]

thanks for documenting this workaround, seems like the issue is because of the hardcoded default url for an sqlite db.