From 113403b9cc88f240ac023c9f62727aabf434b631 Mon Sep 17 00:00:00 2001
From: Yan Lin <github@yanlincs.com>
Date: Wed, 19 Nov 2025 11:05:10 +0100
Subject: [PATCH] remove hardcode credentials

---
 hosts/nixos/hs/system.nix |  1 -
 modules/dufs.nix          | 14 +++++---------
 modules/traefik.nix       | 23 +++++------------------
 3 files changed, 10 insertions(+), 28 deletions(-)

diff --git a/hosts/nixos/hs/system.nix b/hosts/nixos/hs/system.nix
index 2e6d20a..84a60c5 100644
--- a/hosts/nixos/hs/system.nix
+++ b/hosts/nixos/hs/system.nix
@@ -267,7 +267,6 @@
   services.dufs = {
     sharedPath = "/mnt/storage/Media";
     port = 5099;
-    auth = "yanlin:jbaRRsciNUXTRqswdggKPICG27TNvyTRUfod2RBD";
   };
 
 }
diff --git a/modules/dufs.nix b/modules/dufs.nix
index e9a67ee..40ae2e1 100644
--- a/modules/dufs.nix
+++ b/modules/dufs.nix
@@ -2,6 +2,7 @@
 
 let
   cfg = config.services.dufs;
+  authFile = "/etc/dufs-auth";
 in
 {
   options.services.dufs = {
@@ -17,13 +18,6 @@ in
       default = 5099;
       description = "Port to listen on";
     };
-
-    auth = lib.mkOption {
-      type = lib.types.nullOr lib.types.str;
-      default = null;
-      description = "Basic authentication in format 'username:password'. Will be automatically formatted for dufs.";
-      example = "admin:secret123";
-    };
   };
 
   config = lib.mkIf (cfg.sharedPath != null) {
@@ -31,6 +25,9 @@ in
     environment.systemPackages = [ pkgs.dufs ];
 
     # Create systemd service
+    # NOTE: Authentication credentials must be manually created in /etc/dufs-auth
+    # The file should contain a single line in format: username:password
+    # Make sure to set permissions: chmod 600 /etc/dufs-auth
     systemd.services.dufs = {
       description = "Dufs WebDAV File Server";
       wantedBy = [ "multi-user.target" ];
@@ -39,8 +36,7 @@ in
       serviceConfig = {
         Type = "simple";
         User = "root";  # Run as root to access any system path
-        ExecStart = "${pkgs.dufs}/bin/dufs ${cfg.sharedPath} --port ${toString cfg.port} --bind 0.0.0.0"
-          + lib.optionalString (cfg.auth != null) " --auth ${cfg.auth}@/:rw";
+        ExecStart = "${pkgs.dufs}/bin/dufs ${cfg.sharedPath} --port ${toString cfg.port} --bind 0.0.0.0 --auth $(cat ${authFile})@/:rw";
         Restart = "on-failure";
         RestartSec = "10s";
       };
diff --git a/modules/traefik.nix b/modules/traefik.nix
index fa38f09..c84e411 100644
--- a/modules/traefik.nix
+++ b/modules/traefik.nix
@@ -77,22 +77,9 @@
     BindPaths = [ "/run/podman/podman.sock:/var/run/docker.sock" ];
   };
 
-  # Create environment file for Traefik Cloudflare credentials
-  systemd.services.traefik-env-setup = {
-    description = "Setup Traefik environment file";
-    before = [ "traefik.service" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      mkdir -p /run/secrets
-      cat > /run/secrets/traefik-env << 'EOF'
-      CF_API_EMAIL=cloudflare@yanlincs.com
-      CF_DNS_API_TOKEN=JtIInpXOB8NIDGuYvjyV6kLCysN0mb7MKvryuya-
-      EOF
-      chmod 600 /run/secrets/traefik-env
-    '';
-  };
+  # NOTE: Cloudflare credentials must be manually created in /run/secrets/traefik-env
+  # The file should contain:
+  #   CF_API_EMAIL=your-email@example.com
+  #   CF_DNS_API_TOKEN=your-cloudflare-api-token
+  # Make sure to set permissions: chmod 600 /run/secrets/traefik-env
 }