From 165b30ef9c9e1b7f155c76466cf02c41080ecf71 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Fri, 11 Mar 2022 18:14:50 +0100
Subject: [PATCH] secrets: move transmission secret to agenix

---
 hosts/poseidon/default.nix              |   2 +-
 hosts/poseidon/secrets.nix              |   4 ++++
 modules/secrets/secrets.nix             |   2 ++
 modules/secrets/transmission/secret.age | Bin 0 -> 329 bytes
 secrets/default.nix                     |   1 -
 secrets/transmission.secret             | Bin 87 -> 0 bytes
 services/matrix.nix                     |   3 ++-
 services/transmission.nix               |  15 +++++++++------
 8 files changed, 18 insertions(+), 9 deletions(-)
 create mode 100644 modules/secrets/transmission/secret.age
 delete mode 100644 secrets/transmission.secret

diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix
index f86e0ad..8f02fce 100644
--- a/hosts/poseidon/default.nix
+++ b/hosts/poseidon/default.nix
@@ -142,7 +142,7 @@ in
     transmission = {
       enable = true;
       username = "alarsyo";
-      password = secrets.transmission-password;
+      secretConfigFile = config.age.secrets."transmission/secret".path;
     };
   };
 
diff --git a/hosts/poseidon/secrets.nix b/hosts/poseidon/secrets.nix
index 2c9f9c7..962e4ff 100644
--- a/hosts/poseidon/secrets.nix
+++ b/hosts/poseidon/secrets.nix
@@ -17,6 +17,10 @@
             owner = "matrix-synapse";
           };
 
+          "transmission/secret" = {
+            owner = "transmission";
+          };
+
           "users/alarsyo-hashed-password" = {};
           "users/root-hashed-password" = {};
         };
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index dcf6892..9e2b6a5 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -22,6 +22,8 @@ in
   "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
   "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
 
+  "transmission/secret.age".publicKeys = [ poseidon ];
+
   "users/root-hashed-password.age".publicKeys = machines;
   "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ];
 }
diff --git a/modules/secrets/transmission/secret.age b/modules/secrets/transmission/secret.age
new file mode 100644
index 0000000000000000000000000000000000000000..038526dbf99378a07da0677c4527ac88c101d54f
GIT binary patch
literal 329
zcmV-P0k-~OXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LdNxIMI8h*D
zP)|>1aA8Y1XjN}XFJf3!Hg9xvO<`ziZAmvxQ8svHMtMa@a$-|yM0W~LbV6}=GG;<z
zRWe3KXD>BDc|mP@dO1x~Vpd6FXlgTWb8{~=Ry0s#O>YV<J|H_SXL4m>b7cxbWI=Fa
zP)|lUOF?TkMKB62EiE82D|ShFc{VXQPibgYb!2C1GAnO(I5{;nXiHLbaZPh%Pcw2^
zT4hQ`Ph$##RaB?>>8S;27tG?5yoT5pDVLCFipyI?h5<e$DpS(QNOTNeQ22M<38xP#
zf!&Lj+CtE%g%1G7aseyp;-tFECOgx&Mew1a!lyGNE925LH79F=SV7jQ`1$ap->rjG
bAs%oUJ5#M324smYjO#|$ow%gbb?j*?8$Ny_

literal 0
HcmV?d00001

diff --git a/secrets/default.nix b/secrets/default.nix
index 839d586..f47f8fc 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -11,7 +11,6 @@ in {
 
   config.my.secrets = {
     miniflux-admin-credentials = fileContents ./miniflux-admin-credentials.secret;
-    transmission-password = fileContents ./transmission.secret;
     nextcloud-admin-pass = ./nextcloud-admin-pass.secret;
     nextcloud-admin-user = fileContents ./nextcloud-admin-user.secret;
 
diff --git a/secrets/transmission.secret b/secrets/transmission.secret
deleted file mode 100644
index c47d591b38c006213c439a20c0df76752f644f55..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 87
zcmV-d0I2@}M@dveQdv+`00dNdjC5mc3nPrYC5skK@{o6UKD8_e({M4#i$uiAS~<KZ
tx83qCu`EVsZNxRWwk<et&+l_+F|ePH@{B}ul=%PhbQL<h(?6+eHzgd%CyW39

diff --git a/services/matrix.nix b/services/matrix.nix
index 231723a..eda880a 100644
--- a/services/matrix.nix
+++ b/services/matrix.nix
@@ -14,6 +14,7 @@ let
     mkEnableOption
     mkIf
     mkOption
+    optionals
   ;
 
   cfg = config.my.services.matrix;
@@ -46,7 +47,7 @@ in {
     services.matrix-synapse = {
       enable = true;
 
-      extraConfigFiles = lib.optionals (cfg.secretConfigFile != null) [
+      extraConfigFiles = optionals (cfg.secretConfigFile != null) [
         cfg.secretConfigFile
       ];
 
diff --git a/services/transmission.nix b/services/transmission.nix
index 5c6826b..bdc99b5 100644
--- a/services/transmission.nix
+++ b/services/transmission.nix
@@ -4,6 +4,7 @@ let
     mkEnableOption
     mkIf
     mkOption
+    optionalAttrs
   ;
 
   cfg = config.my.services.transmission;
@@ -27,10 +28,11 @@ in
       description = "Name of the transmission RPC user";
     };
 
-    password = mkOption {
-      type = types.str;
-      example = "password";
-      description = "Password of the transmission RPC user";
+    secretConfigFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      example = "/var/run/secrets/transmission-secrets";
+      description = "Path to secrets file to append to configuration";
     };
   };
 
@@ -50,7 +52,6 @@ in
         rpc-authentication-required = true;
 
         rpc-username = cfg.username;
-        rpc-password = cfg.password;
 
         rpc-whitelist-enabled = true;
         rpc-whitelist = "127.0.0.1";
@@ -58,7 +59,9 @@ in
 
       # automatically allow transmission.settings.peer-port
       openFirewall = true;
-    };
+    } // (optionalAttrs (cfg.secretConfigFile != null) {
+      credentialsFile = cfg.secretConfigFile;
+    });
 
     services.nginx.virtualHosts."${webuiDomain}" = {
       forceSSL = true;