diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix index f86e0ad..8f02fce 100644 --- a/hosts/poseidon/default.nix +++ b/hosts/poseidon/default.nix @@ -142,7 +142,7 @@ in transmission = { enable = true; username = "alarsyo"; - password = secrets.transmission-password; + secretConfigFile = config.age.secrets."transmission/secret".path; }; }; diff --git a/hosts/poseidon/secrets.nix b/hosts/poseidon/secrets.nix index 2c9f9c7..962e4ff 100644 --- a/hosts/poseidon/secrets.nix +++ b/hosts/poseidon/secrets.nix @@ -17,6 +17,10 @@ owner = "matrix-synapse"; }; + "transmission/secret" = { + owner = "transmission"; + }; + "users/alarsyo-hashed-password" = {}; "users/root-hashed-password" = {}; }; diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index dcf6892..9e2b6a5 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -22,6 +22,8 @@ in "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ]; "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ]; + "transmission/secret.age".publicKeys = [ poseidon ]; + "users/root-hashed-password.age".publicKeys = machines; "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ]; } diff --git a/modules/secrets/transmission/secret.age b/modules/secrets/transmission/secret.age new file mode 100644 index 0000000..038526d Binary files /dev/null and b/modules/secrets/transmission/secret.age differ diff --git a/secrets/default.nix b/secrets/default.nix index 839d586..f47f8fc 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -11,7 +11,6 @@ in { config.my.secrets = { miniflux-admin-credentials = fileContents ./miniflux-admin-credentials.secret; - transmission-password = fileContents ./transmission.secret; nextcloud-admin-pass = ./nextcloud-admin-pass.secret; nextcloud-admin-user = fileContents ./nextcloud-admin-user.secret; diff --git a/secrets/transmission.secret b/secrets/transmission.secret deleted file mode 100644 index c47d591..0000000 Binary files a/secrets/transmission.secret and /dev/null differ diff --git a/services/matrix.nix b/services/matrix.nix index 231723a..eda880a 100644 --- a/services/matrix.nix +++ b/services/matrix.nix @@ -14,6 +14,7 @@ let mkEnableOption mkIf mkOption + optionals ; cfg = config.my.services.matrix; @@ -46,7 +47,7 @@ in { services.matrix-synapse = { enable = true; - extraConfigFiles = lib.optionals (cfg.secretConfigFile != null) [ + extraConfigFiles = optionals (cfg.secretConfigFile != null) [ cfg.secretConfigFile ]; diff --git a/services/transmission.nix b/services/transmission.nix index 5c6826b..bdc99b5 100644 --- a/services/transmission.nix +++ b/services/transmission.nix @@ -4,6 +4,7 @@ let mkEnableOption mkIf mkOption + optionalAttrs ; cfg = config.my.services.transmission; @@ -27,10 +28,11 @@ in description = "Name of the transmission RPC user"; }; - password = mkOption { - type = types.str; - example = "password"; - description = "Password of the transmission RPC user"; + secretConfigFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/var/run/secrets/transmission-secrets"; + description = "Path to secrets file to append to configuration"; }; }; @@ -50,7 +52,6 @@ in rpc-authentication-required = true; rpc-username = cfg.username; - rpc-password = cfg.password; rpc-whitelist-enabled = true; rpc-whitelist = "127.0.0.1"; @@ -58,7 +59,9 @@ in # automatically allow transmission.settings.peer-port openFirewall = true; - }; + } // (optionalAttrs (cfg.secretConfigFile != null) { + credentialsFile = cfg.secretConfigFile; + }); services.nginx.virtualHosts."${webuiDomain}" = { forceSSL = true;