{ pkgs, lib, config, ... }: let inherit (lib.lists) forEach; inherit (lib.modules) mkMerge; users = ["root" "dovecot2" "gitlab_artifacts_sync" "mpd" "nginx"]; groups = users; in { services.secrets = { enable = true; packages = with pkgs; [ # for music & mail passwd files apacheHttpd ]; uidMap = let getUID = name: config.users.users.${name}.uid; in mkMerge (forEach users (user: { "${user}" = getUID user; })); gidMap = let getGID = name: config.users.groups.${name}.gid; in mkMerge (forEach groups (group: { "${group}" = getGID group; })); secrets = { # Used directly by server # for fetching gitlab static sites gitlab_env = { user = "gitlab_artifacts_sync"; group = "gitlab_artifacts_sync"; fetchScript = '' token=$(simple_get "/api-keys/gitlab/gitlab_pages_serve" .token) echo "GITLAB_TOKEN=$token" > "$secretFile" ''; }; # for wireguard wg_privkey = { fetchScript = '' simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > "$secretFile" ''; }; wg_preshared_vault = { path = "/secrets/wg_preshared_vault"; fetchScript = '' simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.vault > "$secretFile" ''; }; wg_preshared_iphone8 = { path = "/secrets/wg_preshared_iphone8"; fetchScript = '' simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.iphone8 > "$secretFile" ''; }; wg_preshared_lappy-t495 = { path = "/secrets/wg_preshared_lappy-t495"; fetchScript = '' simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" ".preshared_keys.lappy_t495" > "$secretFile" ''; }; # Container: music mpd_control_password = { user = "mpd"; group = "mpd"; fetchScript = '' simple_get "/api-keys/mpd" .password > "$secretFile" ''; }; music_stream_passwd = { user = "nginx"; group = "nginx"; fetchScript = '' username=$(simple_get "/api-keys/music-stream" .username) password=$(simple_get "/api-keys/music-stream" .password) htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null ''; }; slskd_env = { fetchScript = '' soulseek_password=$(simple_get "/passwords/soulseek" .password) slskd_password=$(simple_get "/passwords/slskd" .password) echo > "$secretFile" echo "SLSKD_SLSK_PASSWORD=$soulseek_password" >> "$secretFile" echo "SLSKD_PASSWORD=$slskd_password" >> "$secretFile" ''; }; # Container: mail mail_restic_password = { fetchScript = '' simple_get "/private-public-keys/restic/Mail" .password > "$secretFile" ''; }; mail_restic_env = { fetchScript = '' RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Mail" .username) RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Mail" .password) echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Mail" > "$secretFile" ''; }; private_mail_aliases = { user = "root"; group = "root"; fetchScript = '' kv_get "/infra/private-mail-aliases" | jq .data.data | jq -r 'to_entries|map("\(.key) \(.value.to)")[]' > "$secretFile" ''; }; chaos_mail_passwd = { user = "dovecot2"; group = "dovecot2"; fetchScript = '' password=$(simple_get "/passwords/mail" .password) htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile" ''; }; system_mail_passwd = { user = "dovecot2"; group = "dovecot2"; fetchScript = '' password=$(simple_get "/api-keys/chaos_mail/system" .password) htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile" ''; }; gotosocial_mail_passwd = { user = "dovecot2"; group = "dovecot2"; fetchScript = '' password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password) htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > "$secretFile" ''; }; # Container: social social_restic_password = { fetchScript = '' simple_get "/private-public-keys/restic/Social" .password > "$secretFile" ''; }; social_restic_env = { fetchScript = '' RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Social" .username) RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Social" .password) echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > "$secretFile" ''; }; social_env_secrets = { user = "root"; group = "root"; fetchScript = '' smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password) echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile" ''; }; # Container: quassel quassel_restic_password = { fetchScript = '' simple_get "/private-public-keys/restic/Quassel" .password > "$secretFile" ''; }; quassel_restic_env = { fetchScript = '' RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Quassel" .username) RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Quassel" .password) echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Quassel" > "$secretFile" ''; }; # Container: piped piped_restic_password = { fetchScript = '' simple_get "/private-public-keys/restic/Piped" .password > "$secretFile" ''; }; piped_restic_env = { fetchScript = '' RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Piped" .username) RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Piped" .password) echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped" > "$secretFile" ''; }; }; }; }