bitwarden: brought in line with the nixpkgs again.

applications/bitwarden/_bitwarden_sync_module.nix

@@ -46,12 +46,6 @@ in {
       description = lib.mdDoc "Folder to store the config file.";
       default = "/etc/bitwarden/bwdc";
     };
-
-    pw_env = mkOption {
-      type = types.str;
-      description = lib.mdDoc "The ENV var that the ldap password is stored.";
-      default = "LDAP_PW";
-    };
     interval = mkOption {
       type = types.str;
       default = "*:0,15,30,45";
@@ -229,14 +223,20 @@ in {
       };
     };
 
-    env = {
+    secrets = {
       ldap = mkOption rec {
         type = types.str;
         description = "Auth for the LDAP, has value defined in {option}`pw_env";
       };
-      bitwarden = mkOption rec {
-        type = types.str;
-        description = "Auth for Bitwarden, has BW_CLIENTID and BW_CLIENTSECRET";
+      bitwarden = {
+        client_path_id = mkOption rec {
+          type = types.str;
+          description = "Path to file that contains Client ID.";
+        };
+        client_path_secret = mkOption rec {
+          type = types.str;
+          description = "Path to file that contains Client Secret.";
+        };
       };
     };
   };
@@ -290,6 +290,8 @@ in {
             ${cfg.package}/bin/${cfg.binary_name} config server ${cfg.domain}
 
             # now login to set credentials
+            export BW_CLIENTID="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_id})"
+            export BW_CLIENTSECRET="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_secret})"
             ${cfg.package}/bin/${cfg.binary_name} login
 
             jq '.authenticatedAccounts[0] as $account
@@ -306,7 +308,7 @@ in {
 
             # final config
             ${cfg.package}/bin/${cfg.binary_name} config directory 0
-            ${cfg.package}/bin/${cfg.binary_name} config ldap.password --secretenv ${cfg.pw_env}
+            ${cfg.package}/bin/${cfg.binary_name} config ldap.password --secretfile ${cfg.secrets.ldap}
           '';
 
           ExecStart = "${cfg.package}/bin/${cfg.binary_name} sync";
@@ -314,11 +316,6 @@ in {
           ExecStartPost = pkgs.writeShellScript "bitwarden_directory_connector-cleanup" ''
             rm -f -- ${escapeShellArg cfg.directory}/data.json
           '';
-
-          EnvironmentFile = [
-            "${cfg.env.ldap}"
-            "${cfg.env.bitwarden}"
-          ];
         };
       };
     };

applications/bitwarden/bitwarden_sync.nix

@@ -4,6 +4,7 @@
   lib,
   ...
 }: let
+  user = "bwdc";
 in {
   imports = [
     ./_bitwarden_sync_module.nix
@@ -12,18 +13,31 @@ in {
   options = {};
 
   config = {
-    age.secrets.bitwarden_sync_api.file = ../../secrets/bitwarden/api.age;
-    age.secrets.bitwarden_sync_ldap.file = ../../secrets/ldap/details.age;
+    age.secrets.bitwarden_sync_id = {
+      file = ../../secrets/bitwarden/id.age;
+      owner = user;
+      group = user;
+    };
+    age.secrets.bitwarden_sync_secret = {
+      file = ../../secrets/bitwarden/secret.age;
+      owner = user;
+      group = user;
+    };
+    age.secrets.bitwarden_sync_ldap = {
+      file = ../../secrets/ldap/pw.age;
+      owner = user;
+      group = user;
+    };
 
     services.bitwarden_directory_connector = {
       enable = true;
 
+      user = user;
+
       domain = "https://pw.skynet.ie";
 
       package = pkgs.callPackage ./_bitwarden-directory-connector.nix {};
 
-      pw_env = "LDAP_ADMIN_PW";
-
       ldap = {
         ssl = false;
         startTls = false;
@@ -54,9 +68,12 @@ in {
         groupNameAttribute = "cn";
       };
 
-      env = {
-        bitwarden = config.age.secrets.bitwarden_sync_api.path;
+      secrets = {
         ldap = config.age.secrets.bitwarden_sync_ldap.path;
+        bitwarden = {
+          client_path_id = config.age.secrets.bitwarden_sync_id.path;
+          client_path_secret = config.age.secrets.bitwarden_sync_secret.path;
+        };
       };
     };
   };