opencode: add environmentFile option to set OPENCODE_SERVER_PASSWORD

This commit introduces a new option for the Opencode web service to allow configuring an environment file so that we can safely specify an `OPENCODE_SERVER_PASSWORD` environment variable to secure access to the service without exposing the secret to the Nix store.
2026-03-20 16:09:18 +01:00 · 2026-03-20 16:09:18 +01:00 · 6267895e98
commit 6267895e98
parent 51f49da12c
5 changed files with 102 additions and 5 deletions
--- a/modules/programs/opencode.nix
+++ b/modules/programs/opencode.nix
@ -115,6 +115,20 @@ in
          See <https://opencode.ai/docs/web/#config-file> for available options.
        '';
      };
+
+      environmentFile = mkOption {
+        type = lib.types.nullOr lib.types.path;
+        default = null;
+        example = "/run/secrets/opencode-web";
+        description = ''
+          Path to a file containing environment variables for the opencode web
+          service, in the format of an EnvironmentFile as described by
+          {manpage}`systemd.exec(5)` (i.e. `KEY=VALUE` pairs, one per line).
+
+          This is the recommended way to set `OPENCODE_SERVER_PASSWORD` without
+          exposing the secret value in the Nix store.
+        '';
+      };
    };

    rules = lib.mkOption {
@ -501,6 +515,9 @@ in
          ExecStart = "${lib.getExe cfg.package} serve ${lib.escapeShellArgs webCfg.extraArgs}";
          Restart = "always";
          RestartSec = 5;
+        }
+        // lib.optionalAttrs (webCfg.environmentFile != null) {
+          EnvironmentFile = webCfg.environmentFile;
        };

        Install = {
@ -513,11 +530,24 @@ in
      opencode-web = {
        enable = true;
        config = {
-          ProgramArguments = [
-            (lib.getExe cfg.package)
-            "serve"
-          ]
-          ++ webCfg.extraArgs;
+          ProgramArguments =
+            let
+              programArguments = [
+                (lib.getExe cfg.package)
+                "serve"
+              ]
+              ++ webCfg.extraArgs;
+              opencodeLaunchdWrapper = pkgs.writeShellScriptBin "opencode-launchd-wrapper" ''
+                source ${webCfg.environmentFile}
+                ${lib.escapeShellArgs programArguments}
+              '';
+            in
+            if webCfg.environmentFile == null then
+              programArguments
+            else
+              [
+                (lib.getExe opencodeLaunchdWrapper)
+              ];
          KeepAlive = {
            Crashed = true;
            SuccessfulExit = false;