secrets: modularise
Instead of reading from the 'secrets' directory all over the place, consolidate all secrets-handling inside the same module. This means that finally, the 'acme' service does not need to come read right into this repository, however this leads to a potentially unsecure setup (because I am storing passwords in the Nix store)... I have decided not to care about this relatively minor issue, but I could revisit it by using `sops-nix` in the future.
This commit is contained in:
parent
0871f3e6b4
commit
d1d33fd1d1
|
|
@ -4,11 +4,16 @@
|
|||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
my = config.my;
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
# Include my secrets
|
||||
./secrets
|
||||
# Include my services
|
||||
./services
|
||||
];
|
||||
|
|
@ -57,9 +62,9 @@
|
|||
users.mutableUsers = false; # I want it to be declarative.
|
||||
|
||||
# Define user accounts and passwords.
|
||||
users.users.root.hashedPassword = lib.fileContents ./secrets/users/root/password.txt;
|
||||
users.users.root.hashedPassword = my.secrets.users.root.hashedPassword;
|
||||
users.users.ambroisie = {
|
||||
hashedPassword = lib.fileContents ./secrets/users/ambroisie/password.txt;
|
||||
hashedPassword = my.secrets.users.ambroisie.hashedPassword;
|
||||
description = "Bruno BELANYI";
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||
|
|
@ -96,12 +101,12 @@
|
|||
# Matrix backend and Element chat front-end
|
||||
matrix = {
|
||||
enable = true;
|
||||
secret = lib.fileContents ./secrets/matrix/secret.txt;
|
||||
secret = my.secrets.matrix.secret;
|
||||
};
|
||||
# Nextcloud self-hosted cloud
|
||||
nextcloud = {
|
||||
enable = true;
|
||||
password = lib.fileContents ./secrets/nextcloud/password.txt;
|
||||
password = my.secrets.nextcloud.password;
|
||||
};
|
||||
# The whole *arr software suite
|
||||
pirate.enable = true;
|
||||
|
|
@ -117,7 +122,7 @@
|
|||
transmission = {
|
||||
enable = true;
|
||||
username = "Ambroisie";
|
||||
password = lib.fileContents ./secrets/transmission/password.txt;
|
||||
password = my.secrets.transmission.password;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
BIN
secrets/canary
Normal file
BIN
secrets/canary
Normal file
Binary file not shown.
BIN
secrets/default.nix
Normal file
BIN
secrets/default.nix
Normal file
Binary file not shown.
|
|
@ -1,7 +1,7 @@
|
|||
# Configuration shamelessly stolen from [1]
|
||||
#
|
||||
# [1]: https://github.com/delroth/infra.delroth.net/blob/master/common/nginx.nix
|
||||
{ config, lib, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
# Whenever something defines an nginx vhost, ensure that nginx defaults are
|
||||
|
|
@ -29,12 +29,14 @@
|
|||
certs =
|
||||
let
|
||||
domain = config.networking.domain;
|
||||
key = config.my.secrets.acme.key;
|
||||
in
|
||||
with pkgs;
|
||||
{
|
||||
"${domain}" = {
|
||||
extraDomainNames = [ "*.${domain}" ];
|
||||
dnsProvider = "gandiv5";
|
||||
credentialsFile = ../secrets/acme/key.env;
|
||||
credentialsFile = writeText "key.env" key; # Unsecure, I don't care.
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in a new issue