I am currently trying to write my first NixOS service for the protonmail-bridge package. Because the program is quite monolithic, I am having trouble deciding how to approach it.
This is what I have so far
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.protonmail-bridge;
in
{
##### interface
options = {
services.protonmail-bridge = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable the Bridge.";
};
user = mkOption {
type = types.str;
description = "The user which should run the bridge";
};
nonInteractive = mkOption {
type = types.bool;
default = false;
description = "Start Bridge entirely noninteractively";
};
logLevel = mkOption {
type = types.enum [ "panic" "fatal" "error" "warn" "info" "debug" "debug-client" "debug-server" ];
default = "info";
description = "The log level";
};
trustCertificate = mkOption {
type = types.bool;
default = true;
description = "Trust the self-signed certificate generated by the Bridge";
};
};
};
##### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.protonmail-bridge ];
systemd.services.protonmail-bridge = {
description = "Protonmail Bridge";
after = [ "network.target" ];
wantedBy = [ "default.target" ];
path = [ pkgs.pass ];
serviceConfig = {
User = "${cfg.user}";
Restart = "always";
ExecStart = "${pkgs.protonmail-bridge}/bin/protonmail-bridge --no-window --log-level ${cfg.logLevel}" + optionalString (cfg.nonInteractive) " --noninteractive";
};
};
};
}
There are several challenges I am facing:
- The protonmail bridge stores credentials using pass or gnome-keyring. Because these are usually stored in the user’s personal keyring, how do we express this in the service description?
- How do you deal with the fact that the protonmail bridge generates a self-signed certificate that must be trusted by the system for it to be useable in MUAs. I currently copy the certificate manually after it is generated trust it by adding it to
security.pki.certificates
.