Skip to content

nixos/cloudflared: allow systemd credentials as relative paths#511198

Open
sepointon wants to merge 1 commit intoNixOS:masterfrom
sepointon:push-ryrlkrrnvopr
Open

nixos/cloudflared: allow systemd credentials as relative paths#511198
sepointon wants to merge 1 commit intoNixOS:masterfrom
sepointon:push-ryrlkrrnvopr

Conversation

@sepointon
Copy link
Copy Markdown
Contributor

@sepointon sepointon commented Apr 18, 2026

Previously, credentialsFile had to be absolute. This made using systemd credentials annoying, as credential names aren't absolute. This made passing the cloudflared credential around as a systemd credential somewhat annoying, which is painful because systemd credentials are great for plumbing secrets around systemd containers.

Allowing systemd credential names actually requires no config changes, only options schema changes: LoadCredential looks up non-absolute paths relative to the credential search path, so the right thing will happen just by allowing paths to be relative.

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

@sepointon
nixos/cloudflared: allow systemd credentials as relative paths
0a84530 
Previously, credentialsFile had to be absolute. This made using systemd 
credentials annoying, as credential names aren't absolute. This made 
passing the cloudflared credential around as a systemd credential 
somewhat annoying, which is painful because systemd credentials are 
great for plumbing secrets around systemd containers.

Allowing systemd credential names actually requires no config changes, 
only options schema changes: LoadCredential looks up non-absolute paths 
relative to the credential search path, so the right thing will happen 
just by allowing paths to be relative.
@nixpkgs-ci nixpkgs-ci bot requested review from anpin and bbigras April 18, 2026 18:15
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Apr 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anpin anpin Awaiting requested review from anpin

@bbigras bbigras Awaiting requested review from bbigras

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sepointon