{ pkgs, ... }: let secrets-db = (import ./secrets-db.nix { }); in { systemd.tmpfiles.rules = [ "d /secrets - root root" ]; environment.systemPackages = [ (pkgs.writeShellScriptBin "init-secrets" '' set -e -o pipefail VAULT_ADDR_DEFAULT="https://vault.owo.monster" [ -n "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT" export PATH=$PATH:${pkgs.vault}/bin export PATH=$PATH:${pkgs.jq}/bin export PATH=$PATH:${pkgs.apacheHttpd}/bin kv_get() { vault kv get -format json $1 } simple_get() { kv_get $1 | jq .data.data$2 -r } file=${secrets-db.mpd_control_password.path} echo $file simple_get "/api-keys/mpd" .password > $file chown ${secrets-db.mpd_control_password.user}:${secrets-db.mpd_control_password.group} $file chmod ${secrets-db.mpd_control_password.permissions} $file file=${secrets-db.music_stream_passwd.path} echo $file username=$(simple_get "/api-keys/music-stream" .username) password=$(simple_get "/api-keys/music-stream" .password) htpasswd -bc $file "$username" "$password" chown ${secrets-db.music_stream_passwd.user}:${secrets-db.music_stream_passwd.group} $file chmod ${secrets-db.music_stream_passwd.permissions} $file file=${secrets-db.chaos_mail_passwd.path} echo $file password=$(simple_get "/passwords/mail" .password) htpasswd -nbB "" "$password" | cut -d: -f2 > $file chown ${secrets-db.chaos_mail_passwd.user}:${secrets-db.chaos_mail_passwd.group} $file chmod ${secrets-db.chaos_mail_passwd.permissions} $file file=${secrets-db.gitlab_env.path} echo $file token=$(simple_get "/api-keys/gitlab/gitlab_pages_serve" .token) echo "GITLAB_TOKEN=$token" > $file chown ${secrets-db.gitlab_env.user}:${secrets-db.gitlab_env.group} $file chmod ${secrets-db.gitlab_env.permissions} $file file=${secrets-db.restic_password.path} echo $file simple_get "/private-public-keys/restic/HetznerVM" .password > $file chown ${secrets-db.restic_password.user}:${secrets-db.restic_password.group} $file chmod ${secrets-db.restic_password.permissions} $file file=${secrets-db.restic_env.path} echo $file RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/HetznerVM" .username) RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/HetznerVM" .password) echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/HetznerVM" > $file chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} $file chmod ${secrets-db.restic_env.permissions} $file file=${secrets-db.wg_privkey.path} echo $file simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > $file chown ${secrets-db.wg_privkey.user}:${secrets-db.wg_privkey.group} $file chmod ${secrets-db.wg_privkey.permissions} $file file=${secrets-db.wg_preshared_tablet.path} echo $file simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.tablet > $file chown ${secrets-db.wg_preshared_tablet.user}:${secrets-db.wg_preshared_tablet.group} $file chmod ${secrets-db.wg_preshared_tablet.permissions} $file file=${secrets-db.wg_preshared_vault.path} echo $file simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.vault > $file chown ${secrets-db.wg_preshared_vault.user}:${secrets-db.wg_preshared_vault.group} $file chmod ${secrets-db.wg_preshared_vault.permissions} $file file=${secrets-db.wg_preshared_storage.path} echo $file simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.storage > $file chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file chmod ${secrets-db.wg_preshared_storage.permissions} $file '') ]; }