modules: services: transmission: secrets w/ file

In preparation for the migration to using agenix.

machines/porthos/services.nix

@@ -126,8 +126,12 @@ in
     # Torrent client and webui
     transmission = {
       enable = true;
-      username = "Ambroisie";
-      password = my.secrets.transmission.password;
+      credentialsFile = builtins.toFile "transmission-creds.txt" ''
+        {
+            "rpc-username": "Ambroisie",
+            "rpc-password": "${my.secrets.transmission.password}"
+        }
+      '';
     };
     # Simple, in-kernel VPN
     wireguard = {

modules/services/transmission.nix

@@ -11,17 +11,13 @@ in
   options.my.services.transmission = with lib; {
     enable = mkEnableOption "Transmission torrent client";
 
-    username = mkOption {
+    credentialsFile = mkOption {
       type = types.str;
-      default = "Ambroisie";
-      example = "username";
-      description = "Name of the transmission RPC user";
-    };
-
-    password = mkOption {
-      type = types.str;
-      example = "password";
-      description = "Password of the transmission RPC user";
+      example = "/var/lib/transmission/creds.json";
+      description = ''
+        Credential file as an json configuration file to be merged with
+        the main one.
+      '';
     };
 
     downloadBase = mkOption {
@@ -53,6 +49,8 @@ in
 
       downloadDirPermissions = "775";
 
+      inherit (cfg) credentialsFile;
+
       settings = {
         download-dir = "${cfg.downloadBase}/complete";
         incomplete-dir = "${cfg.downloadBase}/incomplete";
@@ -63,9 +61,6 @@ in
         rpc-port = cfg.port;
         rpc-authentication-required = true;
 
-        rpc-username = cfg.username;
-        rpc-password = cfg.password; # Insecure, but I don't care.
-
         # Proxied behind Nginx.
         rpc-whitelist-enabled = true;
         rpc-whitelist = "127.0.0.1";