get rid of files.nix; ACME/credentialsFile and other cleanup

letsencrypt/acme.nix

@@ -1,6 +1,18 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.selfprivacy;
+  dnsCredentialsTemplates = {
+    DIGITALOCEAN = "DO_AUTH_TOKEN=$TOKEN";
+    CLOUDFLARE = ''
+      CF_API_KEY=$TOKEN
+      CLOUDFLARE_DNS_API_TOKEN=$TOKEN
+      CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
+    '';
+    DESEC = "DESEC_TOKEN=$TOKEN";
+  };
+  dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
+  acme-env-filepath = "/var/lib/selfprivacy/acme-env";
+  secrets-filepath = "/etc/selfprivacy/secrets.json";
 in
 {
   users.groups.acmereceivers.members = [ "nginx" ];
@@ -18,8 +30,26 @@ in
         extraDomainNames = [ "${cfg.domain}" ];
         group = "acmereceivers";
         dnsProvider = lib.strings.toLower cfg.dns.provider;
-        credentialsFile = "/var/lib/cloudflare/Credentials.ini";
+        credentialsFile = acme-env-filepath;
       };
     };
   };
+  systemd.services.acme-secrets = {
+    before = [ "acme-${cfg.domain}.service" ];
+    requiredBy = [ "acme-${cfg.domain}.service" ];
+    serviceConfig.Type = "oneshot";
+    path = with pkgs; [ coreutils jq ];
+    script = ''
+      set -o nounset
+
+      TOKEN="$(jq -re '.dns.apiKey' ${secrets-filepath})"
+      filecontents=$(cat <<- EOF
+      ${dnsCredentialsTemplate}
+      EOF
+      )
+
+      install -m 0440 -o root -g acmereceivers -DT \
+      <(printf "%s\n" "$filecontents") ${acme-env-filepath}
+    '';
+  };
 }