modules: services: nginx: use 'credentialsFile'

In preparation for the migration to agenix.
2021-09-25 13:24:23 +02:00 · 2021-09-25 13:24:23 +02:00 · 16d3cd9f81
parent 7d37701811
commit 16d3cd9f81
2 changed files with 14 additions and 2 deletions
--- a/machines/porthos/services.nix
+++ b/machines/porthos/services.nix
@ -106,6 +106,9 @@ in
    };
    nginx = {
      enable = true;
+      acme = {
+        credentialsFile = builtins.toFile "gandi-key.env" my.secrets.acme.key;
+      };
    };
    paperless = {
      enable = true;
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@ -60,6 +60,16 @@ in
  options.my.services.nginx = with lib; {
    enable = mkEnableOption "Nginx";

+    acme = {
+      credentialsFile = mkOption {
+        type = types.str;
+        example = "/var/lib/acme/creds.env";
+        description = ''
+          Gandi API key file as an 'EnvironmentFile' (see `systemd.exec(5)`)
+        '';
+      };
+    };
+
    monitoring = {
      enable = my.mkDisableOption "monitoring through grafana and prometheus";
    };
@ -330,14 +340,13 @@ in
      certs =
        let
          domain = config.networking.domain;
-          key = config.my.secrets.acme.key;
        in
        with pkgs;
        {
          "${domain}" = {
            extraDomainNames = [ "*.${domain}" ];
            dnsProvider = "gandiv5";
-            credentialsFile = writeText "key.env" key; # Unsecure, I don't care.
+            inherit (cfg.acme) credentialsFile;
          };
        };
    };