nixos/privacyidea: better secret-handling ldap-proxy & RFC42-style settings for ldap-proxy

Instead of hard-coding a single `configFile` for
`privacyidea-ldap-proxy.service` which is pretty unmergable with other
declarations it now uses a RFC42-like approach. Also to make sure that
secrets can be handled properly without ending up in the Nix store, it's
possible to inject secrets via envsubst

    {
      services.privacyidea.ldap-proxy = {
        enable = true;
        environmentFile = "/run/secrets/ldap-pw";
        settings = {
          privacyidea.instance = "privacyidea.example.org";
          service-account = {
            dn = "uid=readonly,ou=serviceaccounts,dc=example,dc=org";
            password = "$LDAP_PW";
          };
        };
      };
    }

and the following secret file (at `/run/secrets`):

    LDAP_PW=<super-secret ldap pw>

For backwards-compat the old `configFile`-option is kept, but it throws
a deprecation warning and is mutually exclusive with the
`settings`-attrset. Also, it doesn't support secrets injection with
`envsubst` & `environmentFile`.

0 files changed, 0 insertions, 0 deletions