secrets: modularise

Instead of reading from the 'secrets' directory all over the place,
consolidate all secrets-handling inside the same module.

This means that finally, the 'acme' service does not need to come read
right into this repository, however this leads to a potentially unsecure
setup (because I am storing passwords in the Nix store)... I have
decided not to care about this relatively minor issue, but I could
revisit it by using `sops-nix` in the future.
This commit is contained in:
Bruno BELANYI 2021-02-06 13:02:27 +01:00
parent 0871f3e6b4
commit d1d33fd1d1
4 changed files with 14 additions and 7 deletions

View file

@ -4,11 +4,16 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let
my = config.my;
in
{ {
imports = imports =
[ [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
# Include my secrets
./secrets
# Include my services # Include my services
./services ./services
]; ];
@ -57,9 +62,9 @@
users.mutableUsers = false; # I want it to be declarative. users.mutableUsers = false; # I want it to be declarative.
# Define user accounts and passwords. # Define user accounts and passwords.
users.users.root.hashedPassword = lib.fileContents ./secrets/users/root/password.txt; users.users.root.hashedPassword = my.secrets.users.root.hashedPassword;
users.users.ambroisie = { users.users.ambroisie = {
hashedPassword = lib.fileContents ./secrets/users/ambroisie/password.txt; hashedPassword = my.secrets.users.ambroisie.hashedPassword;
description = "Bruno BELANYI"; description = "Bruno BELANYI";
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user. extraGroups = [ "wheel" ]; # Enable sudo for the user.
@ -96,12 +101,12 @@
# Matrix backend and Element chat front-end # Matrix backend and Element chat front-end
matrix = { matrix = {
enable = true; enable = true;
secret = lib.fileContents ./secrets/matrix/secret.txt; secret = my.secrets.matrix.secret;
}; };
# Nextcloud self-hosted cloud # Nextcloud self-hosted cloud
nextcloud = { nextcloud = {
enable = true; enable = true;
password = lib.fileContents ./secrets/nextcloud/password.txt; password = my.secrets.nextcloud.password;
}; };
# The whole *arr software suite # The whole *arr software suite
pirate.enable = true; pirate.enable = true;
@ -117,7 +122,7 @@
transmission = { transmission = {
enable = true; enable = true;
username = "Ambroisie"; username = "Ambroisie";
password = lib.fileContents ./secrets/transmission/password.txt; password = my.secrets.transmission.password;
}; };
}; };

BIN
secrets/canary Normal file

Binary file not shown.

BIN
secrets/default.nix Normal file

Binary file not shown.

View file

@ -1,7 +1,7 @@
# Configuration shamelessly stolen from [1] # Configuration shamelessly stolen from [1]
# #
# [1]: https://github.com/delroth/infra.delroth.net/blob/master/common/nginx.nix # [1]: https://github.com/delroth/infra.delroth.net/blob/master/common/nginx.nix
{ config, lib, ... }: { config, pkgs, lib, ... }:
{ {
# Whenever something defines an nginx vhost, ensure that nginx defaults are # Whenever something defines an nginx vhost, ensure that nginx defaults are
@ -29,12 +29,14 @@
certs = certs =
let let
domain = config.networking.domain; domain = config.networking.domain;
key = config.my.secrets.acme.key;
in in
with pkgs;
{ {
"${domain}" = { "${domain}" = {
extraDomainNames = [ "*.${domain}" ]; extraDomainNames = [ "*.${domain}" ];
dnsProvider = "gandiv5"; dnsProvider = "gandiv5";
credentialsFile = ../secrets/acme/key.env; credentialsFile = writeText "key.env" key; # Unsecure, I don't care.
}; };
}; };
}; };