set secret via systemd to avoid users entirely

2025-01-14 14:56:41 +01:00 · 2025-01-14 14:56:41 +01:00 · 56690ad45f
commit 56690ad45f
parent 0fd416429e
2 changed files with 5 additions and 15 deletions
--- a/nixos/server/package-configs/mollysocket/default.nix
+++ b/nixos/server/package-configs/mollysocket/default.nix
@ -1,26 +1,16 @@
-{config, ...}: let
-  mollySocketUser = "mollysocket";
-in {
+{config, ...}: {
  sops.secrets."mollysocket-vapid-key".mode = "0440";
-  sops.secrets."mollysocket-vapid-key" = {
-    owner = mollySocketUser;
-    group = mollySocketUser;
-  };

  services.mollysocket = {
    enable = true;
+    environmentFile = config.sops.secrets."mollysocket-vapid-key".path;
    settings = {
      port = 4381;
-      vapid_key_file = config.sops.secrets."mollysocket-vapid-key".path;
      allowed_endpoints = ["molly.gladtherescake.eu" "nextcloud.gladtherescake.eu"];
      allowed_uuids = ["*"];
      webserver = true;
    };
  };
-  systemd.services.mollysocket.serviceConfig = {
-    User = mollySocketUser;
-    Group = mollySocketUser;
-  };
  services.nginx = {
    virtualHosts = {
      "molly.gladtherescake.eu" = {