refactor: implement intermediate mySecrets options

2026-02-16 21:32:30 -08:00 · 2026-02-16 21:32:30 -08:00 · 55876f2828
commit 55876f2828
parent d756f302d5
7 changed files with 50 additions and 27 deletions
--- a/modules/forgejo.nix
+++ b/modules/forgejo.nix
@ -14,7 +14,8 @@
      };
      # You can configure SMTP here using secrets if needed
    };
-    # Secret for DB password set in secrets.nix
+    # Secret for DB password
+    settings.database.PASSWORD = config.mySecrets.forgejoDb;
  };

  services.postgresql = {
--- a/modules/mail.nix
+++ b/modules/mail.nix
@ -11,7 +11,12 @@
          implicit = false; # StartTLS usually on 587
        };
      };
-      # authentication.fallback-admin set in secrets.nix
+      
+      authentication.fallback-admin = {
+        user = "admin";
+        secret = config.mySecrets.stalwartAdmin;
+      };
+
      # Stalwart configuration is quite extensive. 
      # By default it listens on standard ports (25, 465, 587, 993, 4190)
      # and provides a web admin UI on 8080.
--- a/modules/minecraft.nix
+++ b/modules/minecraft.nix
@ -24,7 +24,7 @@
          simulation-distance = 10;
          max-players = 5;
          enable-rcon = true;
-          # "rcon.password" set in secrets.nix
+          "rcon.password" = config.mySecrets.minecraftRcon; 
        };
        jvmOpts = "-Xms2G -Xmx2500M -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true";
      };
--- a/modules/searx.nix
+++ b/modules/searx.nix
@ -3,12 +3,11 @@
 {
  services.searx = {
    enable = true;
-    # settings.server.secret_key set in secrets.nix
    settings = {
      server = {
        port = 8082;
        bind_address = "127.0.0.1";
-        # secret_key = ...; # Set via env var in file
+        secret_key = config.mySecrets.searxKey;
      };
    };
  };
--- a/modules/secrets-scheme.nix
+++ b/modules/secrets-scheme.nix
@ -0,0 +1,28 @@
+{ lib, ... }:
+
+with lib;
+
+{
+  options.mySecrets = {
+    forgejoDb = mkOption {
+      type = types.str;
+      description = "Forgejo Database Password";
+    };
+    stalwartAdmin = mkOption {
+      type = types.str;
+      description = "Stalwart Mail Admin Password";
+    };
+    searxKey = mkOption {
+      type = types.str;
+      description = "Searx Secret Key";
+    };
+    minecraftRcon = mkOption {
+      type = types.str;
+      description = "Minecraft RCON Password";
+    };
+    tailscaleKey = mkOption {
+      type = types.str;
+      description = "Tailscale Auth Key";
+    };
+  };
+}