yanlin/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

remove hardcode credentials

Browse source
This commit is contained in:
Yan Lin 2025-11-19 11:05:10 +01:00
parent e6804624b5
commit 113403b9cc
3 changed files with 10 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/nixos/hs/system.nix
View file

@ -267,7 +267,6 @@
services.dufs = { services.dufs = {
sharedPath = "/mnt/storage/Media"; sharedPath = "/mnt/storage/Media";
port = 5099; port = 5099;
auth = "yanlin:jbaRRsciNUXTRqswdggKPICG27TNvyTRUfod2RBD";
}; };
} }

14
modules/dufs.nix
View file

@ -2,6 +2,7 @@
let let
cfg = config.services.dufs; cfg = config.services.dufs;
authFile = "/etc/dufs-auth";
in in
{ {
options.services.dufs = { options.services.dufs = {
@ -17,13 +18,6 @@ in
default = 5099; default = 5099;
description = "Port to listen on"; description = "Port to listen on";
}; };
auth = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Basic authentication in format 'username:password'. Will be automatically formatted for dufs.";
example = "admin:secret123";
};
}; };
config = lib.mkIf (cfg.sharedPath != null) { config = lib.mkIf (cfg.sharedPath != null) {
@ -31,6 +25,9 @@ in
environment.systemPackages = [ pkgs.dufs ]; environment.systemPackages = [ pkgs.dufs ];
# Create systemd service # Create systemd service
# NOTE: Authentication credentials must be manually created in /etc/dufs-auth
# The file should contain a single line in format: username:password
# Make sure to set permissions: chmod 600 /etc/dufs-auth
systemd.services.dufs = { systemd.services.dufs = {
description = "Dufs WebDAV File Server"; description = "Dufs WebDAV File Server";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -39,8 +36,7 @@ in
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
User = "root"; # Run as root to access any system path User = "root"; # Run as root to access any system path
ExecStart = "${pkgs.dufs}/bin/dufs ${cfg.sharedPath} --port ${toString cfg.port} --bind 0.0.0.0" ExecStart = "${pkgs.dufs}/bin/dufs ${cfg.sharedPath} --port ${toString cfg.port} --bind 0.0.0.0 --auth $(cat ${authFile})@/:rw";
+ lib.optionalString (cfg.auth != null) " --auth ${cfg.auth}@/:rw";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
}; };

23
modules/traefik.nix
View file

@ -77,22 +77,9 @@
BindPaths = [ "/run/podman/podman.sock:/var/run/docker.sock" ]; BindPaths = [ "/run/podman/podman.sock:/var/run/docker.sock" ];
}; };
# Create environment file for Traefik Cloudflare credentials # NOTE: Cloudflare credentials must be manually created in /run/secrets/traefik-env
systemd.services.traefik-env-setup = { # The file should contain:
description = "Setup Traefik environment file"; # CF_API_EMAIL=your-email@example.com
before = [ "traefik.service" ]; # CF_DNS_API_TOKEN=your-cloudflare-api-token
wantedBy = [ "multi-user.target" ]; # Make sure to set permissions: chmod 600 /run/secrets/traefik-env
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir -p /run/secrets
cat > /run/secrets/traefik-env << 'EOF'
CF_API_EMAIL=cloudflare@yanlincs.com
CF_DNS_API_TOKEN=JtIInpXOB8NIDGuYvjyV6kLCysN0mb7MKvryuya-
EOF
chmod 600 /run/secrets/traefik-env
'';
};
} }