feat(flake): secrets file support

2 files changed, 43 insertions, 19 deletions

diff --git a/README.md b/README.md
index 3977d71..920b65a 100644
--- a/README.md
+++ b/README.md
@@ -28,8 +28,14 @@ attribute set.
 ```nix
 { config, ... }: {
   services.pia.enable = true;
+
+  # Hardcoded username and password
   services.pia.authUserPass.username = "hooty";
   services.pia.authUserPass.password = "hunter42";
+
+  # Alternatively, you can use the `authUserPassFile` attribute if you are using
+  # a Nix secrets manager. Here's an example using sops-nix.
+  services.pia.authUserPassFile = config.sops.secrets.pia.path;
 }
 ```
 
diff --git a/flake.nix b/flake.nix
index 1e64daf..4421245 100644
--- a/flake.nix
+++ b/flake.nix
@@ -46,24 +46,33 @@
         nixosModules.default =
           { config, ... }:
           {
-            options.services.pia = {
-              enable = lib.mkOption {
-                default = false;
-                type = lib.types.bool;
-              };
-
-              authUserPass = {
-                username = lib.mkOption {
+            options.services.pia =
+              let
+                inherit (lib) mkOption;
+              in
+              {
+                enable = mkOption {
                   default = false;
-                  type = lib.types.str;
+                  type = lib.types.bool;
                 };
 
-                password = lib.mkOption {
-                  default = false;
-                  type = lib.types.str;
+                authUserPass = {
+                  username = mkOption {
+                    default = "";
+                    type = lib.types.str;
+                  };
+
+                  password = mkOption {
+                    default = "";
+                    type = lib.types.str;
+                  };
+                };
+
+                authUserPassFile = mkOption {
+                  default = /dev/null;
+                  type = lib.types.path;
                 };
               };
-            };
 
             config = lib.mkIf config.services.pia.enable {
               environment.systemPackages = [
@@ -95,13 +104,22 @@
                         )
                           name;
 
-                      value = {
-                        inherit (config.services.pia) authUserPass;
+                      value =
+                        let
+                          pia = config.services.pia;
+                          hardcoded = pia.authUserPassFile == /dev/null;
+                        in
+                        {
+                          authUserPass = if hardcoded then pia.authUserPass else null;
+                          autoStart = false;
+                          updateResolvConf = true;
 
-                        autoStart = false;
-                        config = "config ${resources}/${name}";
-                        updateResolvConf = true;
-                      };
+                          config = ''
+                            config ${resources}/${name}
+                            auth-nocache
+                            ${if hardcoded then "" else "auth-user-pass ${pia.authUserPassFile}"}
+                          '';
+                        };
                     })
                     (
                       builtins.filter (name: (builtins.match ".+ovpn$" name) != null) (