fix: remove dependence on secrets.json in most modules (#170)

VaultWarden reads admin token from secrets.json too, but it will not error out if it's not set and it is not set by infect. Reviewed-on: https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/pulls/170 Reviewed-by: Inex Code <inex.code@selfprivacy.org> Co-authored-by: nhnn <nhnn@nhnn.dev> Co-committed-by: nhnn <nhnn@nhnn.dev>
2025-09-02 15:13:17 +03:00
parent 59806327d1
commit 522dfa8dde
5 changed files with 6 additions and 38 deletions
--- a/sp-modules/nextcloud/common.nix
+++ b/sp-modules/nextcloud/common.nix
@@ -1,8 +1,6 @@
 config: rec {
  sp = config.selfprivacy;
  domain = sp.domain;
  secrets-filepath = "/etc/selfprivacy/secrets.json";
  db-pass-filepath = "/var/lib/nextcloud/db-pass";
  admin-pass-filepath = "/var/lib/nextcloud/admin-pass";
  override-config-fp = "/var/lib/nextcloud/config/override.config.php";
 }
--- a/sp-modules/nextcloud/module.nix
+++ b/sp-modules/nextcloud/module.nix
@@ -7,10 +7,8 @@
 let
  inherit (import ./common.nix config)
    admin-pass-filepath
    db-pass-filepath
    domain
    override-config-fp
    secrets-filepath
    sp
    ;
@@ -184,19 +182,13 @@ in
              serviceConfig.Type = "oneshot";
              path = with pkgs; [
                coreutils
                jq
              ];
              script = ''
-                databasePassword=$(jq -re '.modules.nextcloud.databasePassword' ${secrets-filepath})
+                if [ ! -f "${admin-pass-filepath}" ]; then
-                adminPassword=$(jq -re '.modules.nextcloud.adminPassword' ${secrets-filepath})
+                  cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 32 > ${admin-pass-filepath}
-
+                  chown nextcloud:nextcloud ${admin-pass-filepath}
-                install -C -m 0440 -o nextcloud -g nextcloud -DT \
+                  chmod 440 ${admin-pass-filepath}
-                <(printf "%s\n" "$databasePassword") \
+                fi
                ${db-pass-filepath}
                install -C -m 0440 -o nextcloud -g nextcloud -DT \
                <(printf "%s\n" "$adminPassword") \
                ${admin-pass-filepath}
              '';
            };
          };
@@ -252,7 +244,6 @@ in
            dbtype = "sqlite";
            dbuser = "nextcloud";
            dbname = "nextcloud";
            dbpassFile = db-pass-filepath;
            # TODO review whether admin user is needed at all - admin group works
            adminpassFile = admin-pass-filepath;
            adminuser = "admin";
--- a/sp-modules/pleroma/cleanup-module.nix
+++ b/sp-modules/pleroma/cleanup-module.nix
@@ -1,12 +0,0 @@
 { config, lib, ... }:
 let
  inherit (import ./common.nix config) secrets-exs sp;
 in
 # FIXME do we really want to delete passwords on module deactivation!?
 {
  config = lib.mkIf (!sp.modules.pleroma.enable) {
    system.activationScripts.pleroma = lib.trivial.warn ("pleroma service is disabled, ${secrets-exs} will be removed!") ''
      rm -f -v ${secrets-exs}
    '';
  };
 }
--- a/sp-modules/pleroma/common.nix
+++ b/sp-modules/pleroma/common.nix
@@ -1,4 +0,0 @@
 config: {
  sp = config.selfprivacy;
  secrets-exs = "/var/lib/pleroma/secrets.exs";
 }
--- a/sp-modules/pleroma/module.nix
+++ b/sp-modules/pleroma/module.nix
@@ -5,9 +5,8 @@
  ...
 }:
 let
  secrets-filepath = "/etc/selfprivacy/secrets.json";
  cfg = config.selfprivacy.modules.pleroma;
-  inherit (import ./common.nix config) secrets-exs sp;
+  sp = config.selfprivacy;
 in
 {
  options.selfprivacy.modules.pleroma = {
@@ -106,16 +105,12 @@ in
          serviceConfig.Type = "oneshot";
          path = with pkgs; [
            coreutils
            jq
          ];
          script = ''
            set -o nounset
            password="$(jq -re '.databasePassword' ${secrets-filepath})"
            filecontents=$(cat <<- EOF
            import Config
            config :pleroma, Pleroma.Repo,
              password: "$password"
            EOF
            )