secrets: modularise

Instead of reading from the 'secrets' directory all over the place, consolidate all secrets-handling inside the same module. This means that finally, the 'acme' service does not need to come read right into this repository, however this leads to a potentially unsecure setup (because I am storing passwords in the Nix store)... I have decided not to care about this relatively minor issue, but I could revisit it by using `sops-nix` in the future.
2021-02-06 13:02:27 +01:00 · 2021-02-06 13:02:27 +01:00 · d1d33fd1d1
commit d1d33fd1d1
parent 0871f3e6b4
4 changed files with 14 additions and 7 deletions
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -1,7 +1,7 @@
 # Configuration shamelessly stolen from [1]
 #
 # [1]: https://github.com/delroth/infra.delroth.net/blob/master/common/nginx.nix
-{ config, lib, ... }:
+{ config, pkgs, lib, ... }:

 {
  # Whenever something defines an nginx vhost, ensure that nginx defaults are
@ -29,12 +29,14 @@
      certs =
        let
          domain = config.networking.domain;
+          key = config.my.secrets.acme.key;
        in
+        with pkgs;
        {
          "${domain}" = {
            extraDomainNames = [ "*.${domain}" ];
            dnsProvider = "gandiv5";
-            credentialsFile = ../secrets/acme/key.env;
+            credentialsFile = writeText "key.env" key; # Unsecure, I don't care.
          };
        };
    };