From d1d33fd1d1323bc251bd502b3a5b009d9aae4d4f Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sat, 6 Feb 2021 13:02:27 +0100
Subject: [PATCH] secrets: modularise

Instead of reading from the 'secrets' directory all over the place,
consolidate all secrets-handling inside the same module.

This means that finally, the 'acme' service does not need to come read
right into this repository, however this leads to a potentially unsecure
setup (because I am storing passwords in the Nix store)... I have
decided not to care about this relatively minor issue, but I could
revisit it by using `sops-nix` in the future.
---
 configuration.nix   |  15 ++++++++++-----
 secrets/canary      | Bin 0 -> 32 bytes
 secrets/default.nix | Bin 0 -> 790 bytes
 services/nginx.nix  |   6 ++++--
 4 files changed, 14 insertions(+), 7 deletions(-)
 create mode 100644 secrets/canary
 create mode 100644 secrets/default.nix

diff --git a/configuration.nix b/configuration.nix
index ff19c31..6e9ea91 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -4,11 +4,16 @@
 
 { config, lib, pkgs, ... }:
 
+let
+  my = config.my;
+in
 {
   imports =
     [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
+      # Include my secrets
+      ./secrets
       # Include my services
       ./services
     ];
@@ -57,9 +62,9 @@
   users.mutableUsers = false; # I want it to be declarative.
 
   # Define user accounts and passwords.
-  users.users.root.hashedPassword = lib.fileContents ./secrets/users/root/password.txt;
+  users.users.root.hashedPassword = my.secrets.users.root.hashedPassword;
   users.users.ambroisie = {
-    hashedPassword = lib.fileContents ./secrets/users/ambroisie/password.txt;
+    hashedPassword = my.secrets.users.ambroisie.hashedPassword;
     description = "Bruno BELANYI";
     isNormalUser = true;
     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
@@ -96,12 +101,12 @@
     # Matrix backend and Element chat front-end
     matrix = {
       enable = true;
-      secret = lib.fileContents ./secrets/matrix/secret.txt;
+      secret = my.secrets.matrix.secret;
     };
     # Nextcloud self-hosted cloud
     nextcloud = {
       enable = true;
-      password = lib.fileContents ./secrets/nextcloud/password.txt;
+      password = my.secrets.nextcloud.password;
     };
     # The whole *arr software suite
     pirate.enable = true;
@@ -117,7 +122,7 @@
     transmission = {
       enable = true;
       username = "Ambroisie";
-      password = lib.fileContents ./secrets/transmission/password.txt;
+      password = my.secrets.transmission.password;
     };
   };
 
diff --git a/secrets/canary b/secrets/canary
new file mode 100644
index 0000000000000000000000000000000000000000..e910ea3aafe746337b1ea57a9ff37d62d58d350f
GIT binary patch
literal 32
ocmZQ@_Y83kiVO&0c*b>ed6DJsmgBoNPv87j#HqYCqGs6~0N0cb+yDRo

literal 0
HcmV?d00001

diff --git a/secrets/default.nix b/secrets/default.nix
new file mode 100644
index 0000000000000000000000000000000000000000..7104fc0069106c75947ef16fe4f96e95eb7c3f59
GIT binary patch
literal 790
zcmV+x1L^z#M@dveQdv+`0LO$5n4elzR~1tR2FTMry9SA6UKifl-xyPm6ED<$aQ^AF
zkAB>-X-)&kqD7FKj4{JgRI-$XqYhdE6%hDTbsJmrDE;<bzHt7JNIuTaB(#%<?oXhE
z8E%b6sETWrGIkPJwx))mnDz5lY8kH>eGdoD==-v+_8?x6vSg0$F?8D`OfpL7;|*g1
zv(B@C+A5kJo6HTtu~=PHw<F;)1LSL=lt+|Jvf*`RZAqW=yef)v7-(zS^z{DVP~)+9
zC?5wt%{`ffOk;uRzHA8a?RFM<bcS~&mo_8o4V)Za0{Xf$fy>S-+W%zPNGga|+TG+e
z{L4OHAnwp2MG*DZz=U`OBcnj{sS@-%qTeW`$_4MZGmXO!Wy2L1E5bj6pOO>3{4MU}
zL1995%KDvmG=%@CkmDDEg;f_^;N`-h+fbmPnKaT2RFWV1y-_{Gim%XNm*jRQ5Z$QF
zqCB<LWx#E8p0_7Kjs-#tR+$89n&w{qm|)BSbtS+fF9%gb)B3EU5TiczjVP5XeCgoV
zZgq{I%A1?y^-Sv3BBbM(<}Y2u7k=&bRrc`c*)_g+G)Vhj&?lybHKj#+TzHZ37$WJy
zCMhpcm4Ed*k=P7<uPiC}d-R^3mu=Z{P+m$u$j$_NQkkD-1nTI$@U;P0E+N51zkh`$
z0^Wg6_%@bvQ_v$5*Wum(-PlvIA}G~0Vt)0ErkT!RnAPJ7#m4GGhP!rEebni=7#t}H
z|IhL5>zVk2uY4;BLIuEZYUBWUD403GSq``~gu6J^E$#rq7-3%Vd-34boeYK2J1U~!
zZAoxUadw$xnOkbez~A36uH~9k{Sf}9J>0*-)XeSK<D^`pB<%BXQo97t{sL6lBfN+}
z6N~<golT<h8I#WllU)4UkC8+z6In|Nm$=jkQ5Wi`M@^P+f<oX0u|V@eEo%`yqR><A
z1*AX16P$W0WQy&O+z?)yRy`k#MVMlSL)<Ap45P9slg|CzQ=yuf22U_12;3D&&m4=4
U8AjU4|LMRRKuKU;fEvJ56y2STU;qFB

literal 0
HcmV?d00001

diff --git a/services/nginx.nix b/services/nginx.nix
index 48ca7ec..ab90760 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -1,7 +1,7 @@
 # Configuration shamelessly stolen from [1]
 #
 # [1]: https://github.com/delroth/infra.delroth.net/blob/master/common/nginx.nix
-{ config, lib, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   # Whenever something defines an nginx vhost, ensure that nginx defaults are
@@ -29,12 +29,14 @@
       certs =
         let
           domain = config.networking.domain;
+          key = config.my.secrets.acme.key;
         in
+        with pkgs;
         {
           "${domain}" = {
             extraDomainNames = [ "*.${domain}" ];
             dnsProvider = "gandiv5";
-            credentialsFile = ../secrets/acme/key.env;
+            credentialsFile = writeText "key.env" key; # Unsecure, I don't care.
           };
         };
     };