nixos/onlyoffice: require a user supplied nonce (#462100)

nixos/modules/services/web-apps/onlyoffice.nix

@@ -7,10 +7,6 @@
 
 let
   cfg = config.services.onlyoffice;
-  defaultNginxNonceFileContent = "set $secure_link_secret \"mynonce\";";
-  defaultNginxNonceFile = pkgs.writeText "onlyoffice-nonce-nginx.conf" ''
-    ${defaultNginxNonceFileContent}
-  '';
 in
 {
   options.services.onlyoffice = {
@@ -26,17 +22,14 @@ in
 
     securityNonceFile = lib.mkOption {
       type = lib.types.str;
-      default = "${defaultNginxNonceFile}";
+      example = "/run/keys/onlyoffice-nginx-nonce.conf";
-      defaultText = lib.literalExpression ''
-        (pkgs.writeText "onlyoffice-nonce-nginx.conf" \'\'
-          ${defaultNginxNonceFileContent}
-        \'\').outPath;
-      '';
       description = ''
-        Path to a file that contains a secret to sign web requests.
+        File holding nginx configuration that sets the nonce used to create secret links.
-        This file should set a 'secure_link_secret' nginx variable,
+
-        and ideally be managed by a
+        Example:
-        [secret managing scheme](https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes).
+        ```
+        set $secure_link_secret "changeme";
+        ```
       '';
     };
 
@@ -103,12 +96,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    warnings = [
-      (lib.optionalString (cfg.securityNonceFile == "${defaultNginxNonceFile}") ''
-        Please set `options.services.onlyoffice.securityNonceFile`
-        to avoid an (albeit unlikely) information disclosure issue.
-      '')
-    ];
     services = {
       nginx = {
         enable = lib.mkDefault true;