nixos/nginx-sso: use '/run' to generate config

Closes #461198.

nixos/doc/manual/release-notes/rl-2511.section.md

@@ -190,6 +190,10 @@
 
 - Linux 5.4 and all its variants have been removed since mainline will reach its end of life within the support-span of 25.11.
 
+- The `services.nginx.sso` module has switched to generating its configuration
+  file in `/run`. You should manually delete `/var/lib/nginx-sso/config.yaml` to
+  avoid storing secret values to disk.
+
 - The `services.polipo` module has been removed as `polipo` is unmaintained and archived upstream.
 
 - `boot.enableContainers` is only turned on when a declarative NixOS container is defined in `containers`.

nixos/modules/services/security/nginx-sso.nix

@@ -8,7 +8,7 @@
 let
   cfg = config.services.nginx.sso;
   format = pkgs.formats.yaml { };
-  configPath = "/var/lib/nginx-sso/config.yaml";
+  configPath = "/run/nginx-sso/config.yaml";
   secretsReplacement = utils.genJqSecretsReplacement {
     loadCredential = true;
   } cfg.configuration configPath;
@@ -60,14 +60,11 @@ in
       description = "Nginx SSO Backend";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
+      preStart = secretsReplacement.script;
       serviceConfig = {
         StateDirectory = "nginx-sso";
         WorkingDirectory = "/var/lib/nginx-sso";
-        ExecStartPre = pkgs.writeShellScript "merge-nginx-sso-config" ''
+        RuntimeDirectory = "nginx-sso";
-          rm -f '${configPath}'
-          # Relies on YAML being a superset of JSON
-          ${secretsReplacement.script}
-        '';
         ExecStart = ''
           ${lib.getExe cfg.package} \
             --config ${configPath} \