opencode: add environmentFile option to set OPENCODE_SERVER_PASSWORD

This commit introduces a new option for the Opencode web service to allow configuring an environment file so that we can safely specify an `OPENCODE_SERVER_PASSWORD` environment variable to secure access to the service without exposing the secret to the Nix store.
2026-03-20 16:09:18 +01:00 · 2026-03-20 16:09:18 +01:00 · 6267895e98
commit 6267895e98
parent 51f49da12c
5 changed files with 102 additions and 5 deletions
--- a/tests/modules/programs/opencode/default.nix
+++ b/tests/modules/programs/opencode/default.nix
@ -25,4 +25,5 @@
  opencode-mcp-integration = ./mcp-integration.nix;
  opencode-mcp-integration-with-override = ./mcp-integration-with-override.nix;
  opencode-web-service = ./web-service.nix;
+  opencode-web-service-environment-file = ./web-service-environment-file.nix;
 }
--- a/tests/modules/programs/opencode/web-service-environment-file.nix
+++ b/tests/modules/programs/opencode/web-service-environment-file.nix
@ -0,0 +1,29 @@
+{
+  pkgs,
+  ...
+}:
+{
+  programs.opencode = {
+    enable = true;
+
+    web = {
+      enable = true;
+      environmentFile = "/run/secrets/opencode";
+    };
+  };
+
+  nmt.script =
+    if pkgs.stdenv.hostPlatform.isDarwin then
+      ''
+        serviceFile=LaunchAgents/org.nix-community.home.opencode-web.plist
+        assertFileExists "$serviceFile"
+        serviceFileNormalized="$(normalizeStorePaths "$serviceFile")"
+        assertFileContent "$serviceFileNormalized" ${./web-service-environment-file.plist}
+      ''
+    else
+      ''
+        serviceFile=home-files/.config/systemd/user/opencode-web.service
+        assertFileExists "$serviceFile"
+        assertFileContent "$serviceFile" ${./web-service-environment-file.service}
+      '';
+}
--- a/tests/modules/programs/opencode/web-service-environment-file.plist
+++ b/tests/modules/programs/opencode/web-service-environment-file.plist
@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>KeepAlive</key>
+	<dict>
+		<key>Crashed</key>
+		<true/>
+		<key>SuccessfulExit</key>
+		<false/>
+	</dict>
+	<key>Label</key>
+	<string>org.nix-community.home.opencode-web</string>
+	<key>ProcessType</key>
+	<string>Background</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/bin/sh</string>
+		<string>-c</string>
+		<string>/bin/wait4path /nix/store &amp;&amp; exec /nix/store/00000000000000000000000000000000-opencode-launchd-wrapper/bin/opencode-launchd-wrapper</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+</dict>
+</plist>
--- a/tests/modules/programs/opencode/web-service-environment-file.service
+++ b/tests/modules/programs/opencode/web-service-environment-file.service
@ -0,0 +1,12 @@
+[Install]
+WantedBy=default.target
+
+[Service]
+EnvironmentFile=/run/secrets/opencode
+ExecStart=@opencode@/bin/opencode serve 
+Restart=always
+RestartSec=5
+
+[Unit]
+After=network.target
+Description=OpenCode Web Service