# vspd options

`vspd` uses rpc credentials, so it's recommended to secure your secrets using a tool like [sops-nix](https://github.com/Mic92/sops-nix).

## sops-nix

Render `vspd.conf` with `sops-nix` and point the service at it. Example:

```nix
{ config, lib, pkgs, ... }:
{
  # Define credentials as secrets
  sops.secrets."vspd/adminpass" = {};
  sops.secrets."dcrwallet/rpcpass" = {};

  # Render vspd.conf owned by the vspd service user/group
  sops.templates."vspd.conf" = {
    owner = config.services.vspd.user;
    group = config.services.vspd.group;
    mode = "0440";
    restartUnits = [ "vspd.service" ];
    content = ''
      [Application Options]
      network = testnet
      
      # Web server
      listen = 0.0.0.0:8800
      adminpass = ${config.sops.placeholder."vspd/adminpass"}
      supportemail = support@example.com
      vspfee = 2.0
      
      # dcrd connection
      dcrdhost = 127.0.0.1:9109
      dcrduser = myusername
      dcrdpass = ${config.sops.placeholder."dcrwallet/rpcpass"}
      dcrdcert = /var/lib/dcrd/rpc.cert
      
      # dcrwallet connections
      # Multiple wallets are comma-separated
      wallethost = 10.0.0.1:9110,10.0.0.2:9110,10.0.0.3:9110
      walletuser = wallet1user,wallet2user,wallet3user
      walletpass = ${config.sops.placeholder."dcrwallet/rpcpass"},${config.sops.placeholder."dcrwallet/rpcpass"},${config.sops.placeholder."dcrwallet/rpcpass"}
      walletcert = /var/lib/vspd/wallet1.cert,/var/lib/vspd/wallet2.cert,/var/lib/vspd/wallet3.cert
    '';
  };

  # Ensure vspd only starts when the config exists
  systemd.services.vspd.unitConfig.ConditionPathExists =
    config.sops.templates."vspd.conf".path;

  # Point the module to the rendered config
  services.vspd = {
    enable = true;
    configFile = config.sops.templates."vspd.conf".path;
  };
}
```

## Notes

- `vspd` expects its configuration file to be named `vspd.conf` and located in its home directory. The NixOS module handles this by symlinking the file provided in `configFile` to `/var/lib/vspd/vspd.conf` on startup.
- Web assets (`public` and `templates`) are symlinked to `services.vspd.webPath` if it is set (default `null`). Set this to a path (e.g. `/var/www/vspd`) to serve these assets with a web server like Caddy or Nginx.
- `vspd` requires access to the `rpc.cert` files for both `dcrd` and all voting `dcrwallet` instances. Ensure permissions are set correctly so the `vspd` user can read them.
- `vspd` periodically writes a backup of its database to `{homedir}/data/{network}/vspd.db-backup`.
Ensure this file is backed up regularly.