services: move all secrets into /media/secrets

moves all secrets into one centralised location in /media/secrets and uses systemd-tmpfiles to set the appropriate permissions for them
2026-02-15 22:58:48 +11:00 · 2026-02-15 22:58:48 +11:00 · 93f912d548
commit 93f912d548
parent 0dc8c93281
6 changed files with 35 additions and 5 deletions
--- a/modules/services/caddy.nix
+++ b/modules/services/caddy.nix
@ -33,6 +33,8 @@
    security.acme = {
      acceptTerms = true;
      defaults.email = "hello@astolfo.org";
+      defaults.environmentFile = /media/secrets/acme;
+      defaults.profile = "shortlived";

      certs."${config.homelab.domain}" = {
        group = config.services.caddy.group;
@ -42,8 +44,11 @@
        dnsProvider = "cloudflare";
        dnsResolver = "1.1.1.1:53";
        dnsPropagationCheck = true;
-        environmentFile = /var/lib/caddy/secret;
      };
    };
+
+    systemd.tmpfiles.rules = [
+      "f /media/secrets/acme 0400 acme acme"
+    ];
  };
 }