{pkgs, ...}: { services.secrets = { enable = true; extraPackages = with pkgs; [ # for music & mail passwd files apacheHttpd # for rclone file for misskey files sync rclone ]; extraFunctions = '' replace_slash_for_sed() { sed "s#/#\\\/#" } simple_get_obscure() { rclone obscure "$(simple_get "$@")" } simple_get_replace_crypt() { password=$(simple_get "$1" .password | replace_slash_for_sed) salt=$(simple_get "$1" .salt | replace_slash_for_sed) replace_password=''${2}_ACCOUNT replace_salt=''${2}_KEY sed -i "s/$replace_password/$password/" "$3" sed -i "s/$replace_salt/$salt/" "$3" } ''; secrets = { mpd_control_password = { user = "mpd"; group = "mpd"; fetchScript = '' simple_get "/api-keys/mpd" .password > $secretFile ''; }; music_stream_passwd = { user = "nginx"; group = "nginx"; fetchScript = '' username=$(simple_get "/api-keys/music-stream" .username) password=$(simple_get "/api-keys/music-stream" .password) htpasswd -bc $secretFile "$username" "$password" 2>/dev/null ''; }; private_mail_aliases = { user = "root"; group = "root"; fetchScript = '' kv_get "/infra/private-mail-aliases" | jq .data.data | jq -r 'to_entries|map("\(.key) \(.value.to)")[]' > $secretFile ''; }; chaos_mail_passwd = { user = "dovecot2"; group = "dovecot2"; fetchScript = '' password=$(simple_get "/passwords/mail" .password) htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > $secretFile ''; }; misskey_mail_passwd = { user = "dovecot2"; group = "dovecot2"; fetchScript = '' password=$(simple_get "/api-keys/chaos_mail/misskey" .password) htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > $secretFile ''; }; system_mail_passwd = { user = "dovecot2"; group = "dovecot2"; fetchScript = '' password=$(simple_get "/api-keys/chaos_mail/system" .password) htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > $secretFile ''; }; gitlab_env = { user = "gitlab_artifacts_sync"; group = "gitlab_artifacts_sync"; fetchScript = '' token=$(simple_get "/api-keys/gitlab/gitlab_pages_serve" .token) echo "GITLAB_TOKEN=$token" > $secretFile ''; }; misskey_storage_rclone_config = { user = "misskey"; group = "users"; fetchScript = '' TMP_DIR="$(mktemp -d)" cp ${./data/misskey_rclone.template} "$TMP_DIR/template" pushd "$TMP_DIR" 2>/dev/null MISSKEY_STORAGE_PASSWORD=$(simple_get_obscure /api-keys/storage/webdav/misskey .password) sed -i "s/MISSKEY_STORAGE_PASSWORD/$MISSKEY_STORAGE_PASSWORD/" ./template simple_get_replace_crypt "/private-public-keys/rclone/Backups-Misskey-Crypt" "STORAGE_MISSKEY_CRYPT" ./template cp ./template $secretFile popd 2>/dev/null rm -rf "$TMP_DIR" ''; }; social_restic_password = { fetchScript = '' simple_get "/private-public-keys/restic/Social" .password > $secretFile ''; }; social_restic_env = { fetchScript = '' RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Social" .username) RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Social" .password) echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > $secretFile ''; }; restic_password = { fetchScript = '' simple_get "/private-public-keys/restic/HetznerVM" .password > $secretFile ''; }; restic_env = { fetchScript = '' RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/HetznerVM" .username) RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/HetznerVM" .password) echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/HetznerVM" > $secretFile ''; }; wg_privkey = { fetchScript = '' simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > $secretFile ''; }; wg_preshared_tablet = { path = "/secrets/wg_preshared_tablet"; fetchScript = '' simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.tablet > $secretFile ''; }; wg_preshared_vault = { path = "/secrets/wg_preshared_vault"; fetchScript = '' simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.vault > $secretFile ''; }; wg_preshared_storage = { path = "/secrets/wg_preshared_storage"; fetchScript = '' simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.storage > $secretFile ''; }; wg_preshared_iphone8 = { path = "/secrets/wg_preshared_iphone8"; fetchScript = '' simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.iphone8 > $secretFile ''; }; }; }; }