refactor: implement intermediate mySecrets options

2026-02-16 21:32:30 -08:00 · 2026-02-16 21:32:30 -08:00 · 55876f2828
commit 55876f2828
parent d756f302d5
7 changed files with 50 additions and 27 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -9,6 +9,7 @@
    ./modules/matrix.nix
    ./modules/minecraft.nix
    ./modules/monitoring.nix
+    ./modules/secrets-scheme.nix
    # Impure Secrets
    ./secrets.nix
  ];
@ -56,5 +57,7 @@
  zramSwap.enable = true;
  zramSwap.memoryPercent = 50; 

-  # Secrets handled via ./secrets/secrets.nix import
+  # Secrets handled via ./secrets.nix importing to config.mySecrets
+  environment.etc."secrets/tailscale-auth".text = config.mySecrets.tailscaleKey;
+  services.tailscale.authKeyFile = "/etc/secrets/tailscale-auth";
 }
--- a/modules/forgejo.nix
+++ b/modules/forgejo.nix
@ -14,7 +14,8 @@
      };
      # You can configure SMTP here using secrets if needed
    };
-    # Secret for DB password set in secrets.nix
+    # Secret for DB password
+    settings.database.PASSWORD = config.mySecrets.forgejoDb;
  };

  services.postgresql = {
--- a/modules/mail.nix
+++ b/modules/mail.nix
@ -11,7 +11,12 @@
          implicit = false; # StartTLS usually on 587
        };
      };
-      # authentication.fallback-admin set in secrets.nix
+      
+      authentication.fallback-admin = {
+        user = "admin";
+        secret = config.mySecrets.stalwartAdmin;
+      };
+
      # Stalwart configuration is quite extensive. 
      # By default it listens on standard ports (25, 465, 587, 993, 4190)
      # and provides a web admin UI on 8080.
--- a/modules/minecraft.nix
+++ b/modules/minecraft.nix
@ -24,7 +24,7 @@
          simulation-distance = 10;
          max-players = 5;
          enable-rcon = true;
-          # "rcon.password" set in secrets.nix
+          "rcon.password" = config.mySecrets.minecraftRcon; 
        };
        jvmOpts = "-Xms2G -Xmx2500M -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true";
      };
--- a/modules/searx.nix
+++ b/modules/searx.nix
@ -3,12 +3,11 @@
 {
  services.searx = {
    enable = true;
-    # settings.server.secret_key set in secrets.nix
    settings = {
      server = {
        port = 8082;
        bind_address = "127.0.0.1";
-        # secret_key = ...; # Set via env var in file
+        secret_key = config.mySecrets.searxKey;
      };
    };
  };
--- a/modules/secrets-scheme.nix
+++ b/modules/secrets-scheme.nix
@ -0,0 +1,28 @@
+{ lib, ... }:
+
+with lib;
+
+{
+  options.mySecrets = {
+    forgejoDb = mkOption {
+      type = types.str;
+      description = "Forgejo Database Password";
+    };
+    stalwartAdmin = mkOption {
+      type = types.str;
+      description = "Stalwart Mail Admin Password";
+    };
+    searxKey = mkOption {
+      type = types.str;
+      description = "Searx Secret Key";
+    };
+    minecraftRcon = mkOption {
+      type = types.str;
+      description = "Minecraft RCON Password";
+    };
+    tailscaleKey = mkOption {
+      type = types.str;
+      description = "Tailscale Auth Key";
+    };
+  };
+}
--- a/secrets.nix.example
+++ b/secrets.nix.example
@ -1,25 +1,12 @@
 { pkgs, config, lib, ... }:

 {
-  # Forgejo
-  services.forgejo.settings.database.PASSWORD = "changeme_forgejo_db";
-
-  # Stalwart Mail
-  services.stalwart.settings.authentication.fallback-admin.secret = "changeme_stalwart_admin";
-
-  # Searx
-  services.searx.settings.server.secret_key = "changeme_searx_secret";
-
-  # Minecraft RCON
-  services.minecraft-servers.servers.fabric.serverProperties."rcon.password" = "changeme_rcon";
-
-  # Tailscale Auth Key (needs to be a file for the service usually, or use pre-auth)
-  # For Tailscale, standard module uses 'authKeyFile'. 
-  # We can create a file in the store for it since this is an impure secrets file anyway.
-  
-  # For Tailscale, let's just write valid one-liner to a file via environment.etc if needed, 
-  # or use the 'authKey' option if available (it is not, usually).
-  # We will stick to environment.etc JUST for Tailscale or file-based secrets.
-  environment.etc."secrets/tailscale-auth".text = "tskey-auth-PLACEHOLDER";
-  services.tailscale.authKeyFile = "/etc/secrets/tailscale-auth";
+  # Copy this file to secrets.nix and fill in real values
+  mySecrets = {
+    forgejoDb = "changeme_forgejo_db";
+    stalwartAdmin = "changeme_stalwart_admin";
+    searxKey = "changeme_searx_secret";
+    minecraftRcon = "changeme_rcon";
+    tailscaleKey = "tskey-auth-PLACEHOLDER";
+  };
 }