From 658fa7ff60ba9511b4040316d131b4adf06bc6be Mon Sep 17 00:00:00 2001
From: Valentin Gagarin <valentin.gagarin@tweag.io>
Date: Thu, 20 Mar 2025 13:06:16 +0100
Subject: [PATCH] add TODO, reformat

---
 panel/nix/configuration.nix | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/panel/nix/configuration.nix b/panel/nix/configuration.nix
index 80a003a9..7b6f100e 100644
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@@ -56,12 +56,14 @@ let
           --property "User=${name}" \
           --property "Group=${name}" \
           --property "WorkingDirectory=/var/lib/${name}" \
-          --property "Environment=DATABASE_URL=${database-url} USER_SETTINGS_FILE=${configFile} ''
-      +
-        # env vars mandatory in `settings.py` tho not used in `manage`
-        ''
-          NIX_BIN=${lib.getExe pkgs.nix} REPO_DIR=${../..}" \
-        ''
+          --property "Environment=''
+      + (toString [
+        "NIX_BIN=${lib.getExe pkgs.nix}"
+        "REPO_DIR=${../..}"
+        "DATABASE_URL=${database-url}"
+        "USER_SETTINGS_FILE=${configFile}"
+      ])
+      + "\" \\\n"
       + optionalString (credentials != [ ]) (
         (concatStringsSep " \\\n" (map (cred: "--property 'LoadCredential=${cred}'") credentials)) + " \\\n"
       )
@@ -194,6 +196,23 @@ in
         RuntimeDirectory = name;
         LogsDirectory = name;
       } // lib.optionalAttrs (credentials != [ ]) { LoadCredential = credentials; };
+
+      # TODO(@fricklerhandwerk):
+      #     Unify handling of runtime settings.
+      #     Right now we have four(!) places where we need to set environment variables, each in its own format:
+      #     - Django's `settings.py` declaring the setting
+      #     - the development environment
+      #     - the `manage` command
+      #     - here, the service configuration
+      #     Ideally we'd set them in two places (development environment and service configuration) but in the same format.
+      #     For that we need to take into account
+      #     - the different types of settings
+      #       - secrets, which must not end up in the store
+      #       - other values, which can be world-readable
+      #     - ergonomics
+      #       - manipulation should be straightforward in both places; e.g. dumping secrets to a directory that is not git-tracked and adding values to an attrset otherwise
+      #       - error detection and correction; it should be clear where and why one messed up so it can be fixed immediately
+      #     We meay also want to test the development environment in CI in order to make sure that we don't break it inadvertently, because misconfiguration due to multiplpe sources of truth wastes a lot of time.
       environment = {
         USER_SETTINGS_FILE = "${configFile}";
         DATABASE_URL = database-url;