services: nginx: fix acme option warning

This reverts commit d5813bfdb6.

No longer necessary!

.github/workflows/cachix.yaml

@@ -1,13 +1,16 @@
-name: "Build packages for cachix"
+name: "Populate Cachix binary cache"
 on:
   push:
     paths:
+      - '**.nix'
+      - '**.age'
       - 'pkgs/**'
       - 'flake.nix'
       - 'flake.lock'
       - '.github/workflows/*'
 jobs:
-  build:
+  build-pkgs:
+    name: Nix packages
     runs-on: ubuntu-latest
 
     strategy:
@@ -32,4 +35,29 @@ jobs:
         extraPullNames: "nix-community"
 
     - name: Build package
-      run: nix build --verbose -L .#"${{ matrix.name }}"
+      run: nix build -L .#"${{ matrix.name }}"
+
+  build-configs:
+    name: NixOS configs
+    runs-on: ubuntu-latest
+    needs: [ build-pkgs ]
+
+    strategy:
+      matrix:
+        name:
+        - boreal
+        - zephyrus
+
+    steps:
+    - uses: actions/checkout@v2
+
+    - uses: cachix/install-nix-action@v16
+
+    - uses: cachix/cachix-action@v10
+      with:
+        name: alarsyo
+        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+        extraPullNames: "nix-community"
+
+    - name: Build package
+      run: nix build -L .#nixosConfigurations."${{ matrix.name }}".config.system.build.toplevel

.gitignore

@@ -0,0 +1 @@
+/result

base/gui-programs.nix

@@ -26,6 +26,8 @@ in
         xkbVariant = "us";
         libinput.enable = true;
       };
+
+      logind.lidSwitch = "ignore";
     };
 
     environment.systemPackages = builtins.attrValues {
@@ -53,7 +55,40 @@ in
       inherit (pkgs.unstable) discord;
     };
 
-    networking.networkmanager.enable = true;
+    networking.networkmanager = {
+      enable = true;
+
+      dispatcherScripts = [
+        {
+          source =
+            let
+              grep = "${pkgs.gnugrep}/bin/grep";
+              nmcli = "${pkgs.networkmanager}/bin/nmcli";
+            in pkgs.writeShellScript "disable_wifi_on_ethernet" ''
+              export LC_ALL=C
+
+              enable_disable_wifi ()
+              {
+                  result=$(${nmcli} dev | ${grep} "ethernet" | ${grep} -w "connected")
+                  if [ -n "$result" ]; then
+                      ${nmcli} radio wifi off
+                  else
+                      ${nmcli} radio wifi on
+                  fi
+              }
+
+              if [ "$2" = "up" ]; then
+                  enable_disable_wifi
+              fi
+
+              if [ "$2" = "down" ]; then
+                  enable_disable_wifi
+              fi
+            '';
+          type = "basic";
+        }
+      ];
+    };
     programs.nm-applet.enable = true;
     programs.steam.enable = true;
 

base/nix.nix

@@ -8,15 +8,16 @@
       experimental-features = nix-command flakes
     '';
 
-    trustedUsers = [ "@wheel" ];
-
-    binaryCaches = [
+    settings = {
+      trusted-users = [ "@wheel" ];
+      substituters = [
         "https://alarsyo.cachix.org"
         "https://nix-community.cachix.org"
       ];
-    binaryCachePublicKeys = [
+      trusted-public-keys = [
         "alarsyo.cachix.org-1:A6BmcaJek5+ZDWWv3fPteHhPm6U8liS9CbDbmegPfmk="
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
       ];
     };
+  };
 }

base/programs.nix

@@ -53,6 +53,8 @@
 
       # nix pkgs lookup
       nix-index
+
+      agenix
     ;
 
     inherit (pkgs.llvmPackages_11)

base/users.nix

@@ -5,10 +5,10 @@ in
 {
   users.mutableUsers = false;
   users.users.root = {
-    hashedPassword = secrets.shadow-hashed-password-root;
+    passwordFile = config.age.secrets."users/root-hashed-password".path;
   };
   users.users.alarsyo = {
-    hashedPassword = secrets.shadow-hashed-password-alarsyo;
+    passwordFile = config.age.secrets."users/alarsyo-hashed-password".path;
     isNormalUser = true;
     extraGroups = [
       "media"

flake.lock

@@ -1,12 +1,30 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1641576265,
+        "narHash": "sha256-G4W39k5hdu2kS13pi/RhyTOySAo7rmrs7yMUZRH0OZI=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "08b9c96878b2f9974fc8bde048273265ad632357",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "emacs-overlay": {
       "locked": {
-        "lastModified": 1642358862,
-        "narHash": "sha256-tttyyXdpOQYxFG3HkOOcK0dFxBpdaeWHRrIWWnQRZYA=",
+        "lastModified": 1644230579,
+        "narHash": "sha256-/3v0jBKY1QJPK6cdO0fZl+xK5E+GZhHcbgWb7RoFEN4=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "cdd347f1b966415c5473b3e3f4640c0d0fd13b55",
+        "rev": "02d47fdf48e54598f9838f01a9d172bfa206b63e",
         "type": "github"
       },
       "original": {
@@ -39,11 +57,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1642372264,
-        "narHash": "sha256-SRnw7qcHmvUBxby925Vm+nhPqq7YVs1qquNqv7TRyVY=",
+        "lastModified": 1643933104,
+        "narHash": "sha256-NZPuFxRsZKN8pjRuHPpzlMyt6JQhcjiduBG8bMghSjE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "46bba772f26f89b62811f487d2b0d5357c91bc32",
+        "rev": "63dccc4e60422c1db2c3929b2fd1541f36b7e664",
         "type": "github"
       },
       "original": {
@@ -71,27 +89,24 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1642104392,
-        "narHash": "sha256-m71b7MgMh9FDv4MnI5sg9MiBVW6DhE1zq+d/KlLWSC8=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "5aaed40d22f0d9376330b6fa413223435ad6fee5",
-        "type": "github"
+        "lastModified": 1618628710,
+        "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=",
+        "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source",
+        "rev": "7919518f0235106d050c77837df5e338fb94de5d",
+        "type": "path"
       },
       "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "id": "nixpkgs",
+        "type": "indirect"
       }
     },
     "nixpkgs-unstable-small": {
       "locked": {
-        "lastModified": 1642285376,
-        "narHash": "sha256-LfZBVKCrPOx5k9pUoJlRsBvdz7yn1qYHenCKuqwwFGo=",
+        "lastModified": 1644225686,
+        "narHash": "sha256-XDslFfn44H93WjGytIhrPSduGIug1p4cPN/cEuHdIBI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0a223c8d509cea6b4be3906f9c39820ff195fad2",
+        "rev": "64cb9c78e14d0ffc9ee627772a972aa4b59bbfd8",
         "type": "github"
       },
       "original": {
@@ -101,13 +116,30 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1644033087,
+        "narHash": "sha256-beskas17YPhrcnanzywake9/z+k+xOWmavW24YUN8ng=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9f697d60e4d9f08eacf549502528bfaed859d33b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "emacs-overlay": "emacs-overlay",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable-small": "nixpkgs-unstable-small"
       }
     }

flake.nix

@@ -15,6 +15,12 @@
       ref = "nixos-unstable-small";
     };
 
+    agenix = {
+      type = "github";
+      owner = "ryantm";
+      repo = "agenix";
+    };
+
     emacs-overlay = {
       type = "github";
       owner = "nix-community";
@@ -45,7 +51,7 @@
     };
   };
 
-  outputs = { self, nixpkgs, home-manager, ... } @inputs: {
+  outputs = { self, nixpkgs, home-manager, agenix, ... } @inputs: {
     nixosModules = {
       home = {
         home-manager.useGlobalPkgs = true;
@@ -74,9 +80,13 @@
               inherit system;
               config.allowUnfree = true;
             };
+
           })
+
+          agenix.overlay
         ] ++ builtins.attrValues self.overlays;
         sharedModules = [
+          agenix.nixosModules.age
           home-manager.nixosModule
           { nixpkgs.overlays = shared_overlays; }
         ] ++ (nixpkgs.lib.attrValues self.nixosModules);

home/default.nix

@@ -12,7 +12,6 @@
     ./laptop.nix
     ./lorri.nix
     ./rofi.nix
-    ./secrets
     ./ssh.nix
     ./themes
     ./tmux.nix

home/lorri.nix

@@ -16,7 +16,6 @@ in
     services.lorri.enable = true;
     programs.direnv = {
         enable = true;
-        enableFishIntegration = true;
         # FIXME: proper file, not lorri.nix
         nix-direnv = {
           enable = true;

home/secrets/default.nix

@@ -1,19 +0,0 @@
-{ lib, ... }:
-let
-  inherit (lib)
-    fileContents
-    mkOption
-    types
-  ;
-in
-{
-  options.my.secrets = mkOption {
-    type = types.attrs;
-  };
-
-  config.my.secrets = {
-    # I'm not sure hiding this is very important, but it *seems* like a bad idea
-    # to expose this
-    bluetooth-mouse-mac-address = fileContents ./bluetooth-mouse-mac-address.secret;
-  };
-}

home/tridactylrc

@@ -1,3 +1,5 @@
+" -*- tridactylrc -*-
+
 " This wipes all existing settings. This means that if a setting in this file is
 " removed, then it will return to default. In other words, this file serves as
 " as an enforced single point of truth for Tridactyl's configuration.

home/x/i3bar.nix

@@ -35,8 +35,7 @@ in
   config = mkIf isEnabled {
     home.packages = builtins.attrValues {
       inherit (pkgs)
-        iw # Used by `net` block
-        lm_sensors # Used by `temperature` block
+        # FIXME: is this useful?
         font-awesome
       ;
     };
@@ -105,12 +104,6 @@ in
               block = "networkmanager";
               primary_only = true;
             }
-            {
-              block = "bluetooth";
-              mac = config.my.secrets.bluetooth-mouse-mac-address;
-              hide_disconnected = true;
-              format = "{percentage}";
-            }
             {
               block = "sound";
               driver = "pulseaudio";

hosts/boreal/default.nix

@@ -3,15 +3,14 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, lib, pkgs, ... }:
-let
-  secrets = config.my.secrets;
-in
 {
   imports =
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
 
       ./home.nix
+
+      ./secrets.nix
     ];
 
   boot.kernelPackages = pkgs.linuxPackages_latest;
@@ -46,17 +45,12 @@ in
 
   # List services that you want to enable:
   my.services = {
-    borg-backup = {
+    restic-backup = {
       enable = true;
-      repo = secrets.borg-backup.boreal-repo;
-      # for a workstation, having backups spanning the last month should be
-      # enough
-      prune = {
-        keep = {
-          daily = 7;
-          weekly = 4;
-        };
-      };
+      repo = "b2:boreal-backup";
+      passwordFile = config.age.secrets."restic-backup/boreal-password".path;
+      environmentFile = config.age.secrets."restic-backup/boreal-credentials".path;
+
       paths = [
         "/home/alarsyo"
       ];
@@ -64,7 +58,7 @@ in
         "/home/alarsyo/Downloads"
 
         # Rust builds using half my storage capacity
-        "/home/alarsyo/*/target"
+        "/home/alarsyo/**/target"
         "/home/alarsyo/work/rust/build"
 
         # don't backup nixpkgs

hosts/boreal/secrets.nix

@@ -0,0 +1,19 @@
+{ config, lib, options, ... }:
+
+{
+  config.age = {
+    secrets =
+      let
+        toSecret = name: { ... }@attrs: {
+          file = ./../../modules/secrets + "/${name}.age";
+        } // attrs;
+      in
+        lib.mapAttrs toSecret {
+          "restic-backup/boreal-credentials" = {};
+          "restic-backup/boreal-password" = {};
+
+          "users/alarsyo-hashed-password" = {};
+          "users/root-hashed-password" = {};
+        };
+  };
+}

hosts/poseidon/default.nix

@@ -12,6 +12,7 @@ in
       ./hardware-configuration.nix
 
       ./home.nix
+      ./secrets.nix
     ];
 
   # Use the GRUB 2 boot loader.

hosts/poseidon/secrets.nix

@@ -0,0 +1,16 @@
+{ config, lib, options, ... }:
+
+{
+  config.age = {
+    secrets =
+      let
+        toSecret = name: { ... }@attrs: {
+          file = ./../../modules/secrets + "/${name}.age";
+        } // attrs;
+      in
+        lib.mapAttrs toSecret {
+          "users/alarsyo-hashed-password" = {};
+          "users/root-hashed-password" = {};
+        };
+  };
+}

hosts/zephyrus/default.nix

@@ -3,14 +3,12 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, lib, pkgs, ... }:
-let
-  secrets = config.my.secrets;
-in
 {
   imports =
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
       ./home.nix
+      ./secrets.nix
     ];
 
   boot.kernelPackages = pkgs.linuxPackages;
@@ -43,6 +41,39 @@ in
     tailscale.enable = true;
 
     pipewire.enable = true;
+
+    restic-backup = {
+      enable = true;
+      repo = "b2:zephyrus-backup";
+      passwordFile = config.age.secrets."restic-backup/zephyrus-password".path;
+      environmentFile = config.age.secrets."restic-backup/zephyrus-credentials".path;
+
+      timerConfig = {
+        OnCalendar = "*-*-* 13:00:00"; # laptop only gets used during the day
+      };
+
+      paths = [
+        "/home/alarsyo"
+      ];
+      exclude = [
+        "/home/alarsyo/Downloads"
+
+        # Rust builds using half my storage capacity
+        "/home/alarsyo/**/target"
+        "/home/alarsyo/work/rust/build"
+
+        # don't backup nixpkgs
+        "/home/alarsyo/work/nixpkgs"
+
+        # C build crap
+        "*.a"
+        "*.o"
+        "*.so"
+
+        # ignore all dotfiles as .config and .cache can become quite big
+        "/home/alarsyo/.*"
+      ];
+    };
   };
 
   services = {
@@ -53,6 +84,11 @@ in
       };
     };
     fwupd.enable = true;
+    openssh = {
+      enable = true;
+      permitRootLogin = "no";
+      passwordAuthentication = false;
+    };
   };
   my.gui.enable = true;
 

hosts/zephyrus/hardware-configuration.nix

@@ -29,6 +29,7 @@ in
     { device = "/dev/disk/by-uuid/6395cef1-c30b-450a-917c-cfb3c0380642";
       fsType = "btrfs";
       options = [ "subvol=@home" "compress=zstd" "noatime" ];
+      neededForBoot = true; # agenix needs my key for some root secrets
     };
 
   fileSystems."/nix" =

hosts/zephyrus/secrets.nix

@@ -0,0 +1,19 @@
+{ config, lib, options, ... }:
+
+{
+  config.age = {
+    secrets =
+      let
+        toSecret = name: { ... }@attrs: {
+          file = ./../../modules/secrets + "/${name}.age";
+        } // attrs;
+      in
+        lib.mapAttrs toSecret {
+          "restic-backup/zephyrus-credentials" = {};
+          "restic-backup/zephyrus-password" = {};
+
+          "users/alarsyo-hashed-password" = {};
+          "users/root-hashed-password" = {};
+        };
+  };
+}

modules/default.nix

@@ -2,6 +2,7 @@
 {
   imports = [
     ./sddm.nix
+    ./secrets
     ./wakeonwlan.nix
   ];
 }

modules/secrets/default.nix

@@ -0,0 +1,9 @@
+{ config, lib, options, ... }:
+
+{
+  config.age = {
+    identityPaths = options.age.identityPaths.default ++ [
+      "/home/alarsyo/.ssh/id_ed25519"
+    ];
+  };
+}

modules/secrets/restic-backup/boreal-credentials.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 YWMQkg B5tQXcUdu751YYA4Y8uRH/DgGDi24AsXEAKkCVfg+Ro
+21Gz0MsMCtWzUdVuaWdNwEU9Ts8lOQWCd7Ejf2tkxks
+-> ssh-ed25519 k2gHjw NIG04WnNgq5bnSl9KmvFyvpGdFlmOFtXzuYtrsFOKXM
+ZYZVyIM0jnhguRmfIpRtFg0StgYTlu/P9bgxBy9dbOg
+-> u5-grease
+MTgqDb6tqCuvdlXj9c2Y3XX1X7JfrdeKLM0EQ75ZJe+Hrntnpvn4fSlBr8QoOahm
+fg
+--- VzgNZ3/IBQVeYfOMGjnHPDRKoBDdxHth61pevk5+fLw
+ŒÙúDíï°	´&…<QØ+¨úþ‹éJoTÇ;US9.©âu'v¸œ,‘Ä@“úÿQKcë‚ÛzÑ>v¢€ÃN1›±tòÚ8›w<˜Îò“w­°d<C2B0><64>>s:µG_øæÆšyø„u,þÅ%@J hñ"†Ev‡ÙX

modules/secrets/restic-backup/zephyrus-credentials.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZQuVNA KjrRurc5ztGrYO2wx0ToE8E4Yz2sbNwPi4zCGAJUK3k
++U1Ox1U4Z9ssleGchzMJGpQjFaRoqMYSLhKHXj1F2/U
+-> ssh-ed25519 k2gHjw W35K39F0sREO2igYKaa3zr1LKgF6xiU5YtMq3RYqkC4
+YJV8kdjMJSoRX7iLw2bQXET9zOudFuhZeHqPqHkNjuc
+-> (aAM-grease j{6WJ 3C&
+Pfh0krD/ClkQcByosGU3CxPivvPei5tXWZHh6odkWxn29iqsKT6L1ihEgYJDlopA
+8ODR4G4ax6ZY13O+qjc
+--- ugjGDcsxbwlKmTN+4lUyrhD6GJPl0qk4i+4OLS2NRP0
+]#z…ƒã‹p¢¶X7Ó™	¼1mê%wýFÒ
4õÒسÄcp+Q2¹ú“<C3BA>×ì¢pmxx>ňœ)Eô;~äî<>¢ÔsÆx[S$z¥¨&øžùrBSVÄz­ÿ÷þ\SXøærdö×\ÜóŠ5Tªfÿ|¿ô
+TÜ

modules/secrets/restic-backup/zephyrus-password.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZQuVNA H3/RLTRU8T3JY99f+b9xT5oIqPCDyxjRfFbJ7iR3/zE
+CTLpdnGapstc+/epugi1CxIZ3T7JZgE4Ew14B2WuanY
+-> ssh-ed25519 k2gHjw wEnvcV2UApJ1MMyIQgSSkF+zhG+fugEiCieCpPBdJyc
+polPsTGun9e6Bq6rogQBrmT32GQXiixxlKmuRpDDM0c
+-> Jt-grease rX6~
+RL6JmjlIQaG17HQQFY3hTYtTiL12Sr3RX/Scv6gO7gO8
+--- eUEOS9mtYxxW2bqzEpD+ZsyYjhHWCArPd2PiFn6wMF4
+ƒ*@ò-úñæÀ£’¬…9ÂÜpMDŸ¸™I{ázüke°K);‰ü+úU¥îñOZâ{ÙBSx’/ÑLI¡”G «9—‰	”þ1É:Yݽ°4x:K—f¹Žq‘ö9ï˜a¥Oº[jNåÇXq¡‘,âÏæZü=*˜'€'tׄƒÍ	
²ˆö¿!vWòÛ6n›†ÅéG&QwõÚG

modules/secrets/secrets.nix

@@ -0,0 +1,21 @@
+let
+  alarsyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3rrF3VSWI4n4cpguvlmLAaU3uftuX4AVV/39S/8GO9 alarsyo@thinkpad";
+  users = [ alarsyo ];
+
+  boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal";
+  poseidon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYhZYMbWQG9TSQ2qze8GgFo2XrZzgu/GuSOGwenByJo root@poseidon";
+  zephyrus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU4JfIADH9MXUnVe+3ezYK9WXsqy/jJcm1zFkmL4aSU root@zephyrus";
+
+  machines = [ boreal poseidon zephyrus ];
+
+  all = users ++ machines;
+in
+{
+  "restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ];
+  "restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ];
+  "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
+  "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
+
+  "users/root-hashed-password.age".publicKeys = machines;
+  "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ];
+}

overlays/i3status-rust/default.nix

@@ -10,6 +10,7 @@ final: prev:
     buildInputs = builtins.attrValues {
       inherit (final)
         dbus
+        lm_sensors
         openssl
         pulseaudio
       ;

pkgs/spot/default.nix

@@ -3,7 +3,7 @@
 , python3
 }:
 let
-  version = "2.10.3";
+  version = "2.10.4";
 in
 stdenv.mkDerivation {
   inherit version;
@@ -15,6 +15,6 @@ stdenv.mkDerivation {
 
   src = fetchurl {
     url = "https://www.lrde.epita.fr/dload/spot/spot-${version}.tar.gz";
-    sha256 = "sha256-iX6VSGFzdI8rZe7L2ZojS39od/IYboaNp6zlZxgEAZ8=";
+    sha256 = "sha256-6GKc22zOgwd4JpYM0B7OUhPar5ooPW9iqvaa+gYjR4o=";
   };
 }

poseidon.nix

@@ -5,6 +5,9 @@
     # Default configuration
     ./base
 
+    # Module definitions
+    ./modules
+
     # Service definitions
     ./services
 

secrets/borg-backup/default.nix

@@ -5,6 +5,5 @@ let
   ;
 in
 {
-  boreal-repo = fileContents ./boreal-repo.secret;
   poseidon-repo = fileContents ./poseidon-repo.secret;
 }

services/nginx.nix

@@ -44,7 +44,7 @@ in
 
     security.acme = {
       acceptTerms = true;
-      email = "antoine97.martin@gmail.com";
+      defaults.email = "antoine97.martin@gmail.com";
 
       certs =
         let

services/restic-backup.nix

@@ -11,7 +11,6 @@ let
   ;
 
   cfg = config.my.services.restic-backup;
-  secrets = config.my.secrets;
   excludeArg = "--exclude-file=" + (pkgs.writeText "excludes.txt" (concatStringsSep "\n" cfg.exclude));
   makePruneOpts = pruneOpts:
     attrsets.mapAttrsToList (name: value: "--keep-${name} ${toString value}") pruneOpts;
@@ -62,6 +61,23 @@ in {
         monthly = 6;
       };
     };
+
+    passwordFile = mkOption {
+      type = types.str;
+      default = "/root/restic/password";
+    };
+
+    environmentFile = mkOption {
+      type = types.str;
+      default = "/root/restic/creds";
+    };
+
+    timerConfig = mkOption {
+      type = types.attrsOf types.str;
+      default = {
+        OnCalendar = "daily";
+      };
+    };
   };
 
   config = mkIf cfg.enable {
@@ -73,15 +89,13 @@ in {
       paths = cfg.paths;
 
       repository = cfg.repo;
-      passwordFile = "/root/restic/password";
-      environmentFile = "/root/restic/creds";
+      passwordFile = cfg.passwordFile;
+      environmentFile = cfg.environmentFile;
 
       extraBackupArgs = [ "--verbose=2" ]
                         ++ optional (builtins.length cfg.exclude != 0) excludeArg;
 
-      timerConfig = {
-        OnCalendar = "daily";
-      };
+      timerConfig = cfg.timerConfig;
 
       pruneOpts = makePruneOpts cfg.prune;
     };

zephyrus.nix

@@ -10,9 +10,6 @@
     # Service definitions
     ./services
 
-    # Configuration secrets
-    ./secrets
-
     # Host-specific config
     ./hosts/zephyrus
   ];