From dfda2fd18365a309f36bea927aab0a0354b32fb0 Mon Sep 17 00:00:00 2001
From: Kris <kris@darkworld.download>
Date: Thu, 19 Feb 2026 21:36:30 +0200
Subject: [PATCH] aaaaaaa

---
 modules/wafrn.nix | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/modules/wafrn.nix b/modules/wafrn.nix
index bb73ad0..29790a0 100644
--- a/modules/wafrn.nix
+++ b/modules/wafrn.nix
@@ -499,7 +499,35 @@ in
             echo "wafrn-nix: secretsFile does not exist: ${cfg.secretsFile}" >&2
             exit 1
           fi
-          cat "${cfg.secretsFile}" >> ${serviceEnvFile}
+
+          while IFS= read -r raw_line || [ -n "$raw_line" ]; do
+            case "$raw_line" in
+              ""|\#*)
+                continue
+                ;;
+            esac
+
+            key="${raw_line%%=*}"
+            value="${raw_line#*=}"
+
+            key="$(printf '%s' "$key" | tr -d '[:space:]')"
+            if ! printf '%s' "$key" | grep -Eq '^[A-Za-z_][A-Za-z0-9_]*$'; then
+              echo "wafrn-nix: ignoring invalid env key from secretsFile: $key" >&2
+              continue
+            fi
+
+            first_char="${value:0:1}"
+            last_char="${value: -1}"
+            if [ "$first_char" = '"' ] && [ "$last_char" = '"' ]; then
+              value="${value:1:${#value}-2}"
+            elif [ "$first_char" = "'" ] && [ "$last_char" = "'" ]; then
+              value="${value:1:${#value}-2}"
+            fi
+
+            value="${value//\\/\\\\}"
+            value="${value//\"/\\\"}"
+            printf '%s="%s"\n' "$key" "$value" >> ${serviceEnvFile}
+          done < "${cfg.secretsFile}"
         ''}
         install -m 0644 ${composeTemplate} ${composeFile}
       '';