get rid of files.nix; ACME/credentialsFile and other cleanup

configuration.nix

@@ -13,6 +13,8 @@
 
   fileSystems."/".options = [ "noatime" ];
 
+  services.selfprivacy-api.enable = true;
+
   services.redis.servers.sp-api = {
     enable = true;
     save = [
@@ -36,6 +38,7 @@
   boot.cleanTmpDir = true;
   networking = {
     hostName = config.selfprivacy.hostname;
+    domain = config.selfprivacy.domain;
     usePredictableInterfaceNames = false;
     firewall = {
       allowedTCPPorts = lib.mkForce [ 22 25 80 143 443 465 587 993 4443 8443 ];
@@ -69,6 +72,10 @@
     DOMAIN = config.selfprivacy.domain;
   };
   documentation.enable = false; # no {man,info}-pages & docs, etc to save space
+  systemd.tmpfiles.rules = [
+    "# Completely remove remnants of NIXOS_LUSTRATE."
+    "R! /old-root"
+  ];
   system.autoUpgrade = {
     enable = config.selfprivacy.autoUpgrade.enable;
     allowReboot = config.selfprivacy.autoUpgrade.allowReboot;

files.nix

@@ -1,46 +0,0 @@
-nixos-config-source: { config, pkgs, ... }:
-let
-  cfg = config.selfprivacy;
-  dnsCredentialsTemplates = {
-    DIGITALOCEAN = "DO_AUTH_TOKEN=REPLACEME";
-    CLOUDFLARE = ''
-      CF_API_KEY=REPLACEME
-      CLOUDFLARE_DNS_API_TOKEN=REPLACEME
-      CLOUDFLARE_ZONE_API_TOKEN=REPLACEME
-    '';
-    DESEC = "DESEC_TOKEN=REPLACEME";
-  };
-  dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
-in
-{
-  systemd.tmpfiles.rules =
-    let
-      domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
-    in
-    [
-      "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
-    ];
-  system.activationScripts =
-    let
-      jq = "${pkgs.jq}/bin/jq";
-      sed = "${pkgs.gnused}/bin/sed";
-    in
-    {
-      nixos-lustrate = ''
-        rm -rf /old-root
-      '';
-      selfprivacy-nixos-configuration-source = ''
-        rm -rf /etc/nixos/{*,.[!.]*}
-        cp -r --no-preserve=all ${nixos-config-source}/ -T /etc/nixos/
-      '';
-      cloudflareCredentials = ''
-        mkdir -p /var/lib/cloudflare
-        chmod 0440 /var/lib/cloudflare
-        chown nginx:acmereceivers /var/lib/cloudflare
-        echo '${dnsCredentialsTemplate}' > /var/lib/cloudflare/Credentials.ini
-        ${sed} -i "s/REPLACEME/$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.dns.apiKey')/g" /var/lib/cloudflare/Credentials.ini
-        chmod 0440 /var/lib/cloudflare/Credentials.ini
-        chown nginx:acmereceivers /var/lib/cloudflare/Credentials.ini
-      '';
-    };
-}

flake.lock

@@ -28,11 +28,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1702381323,
+        "lastModified": 1702870693,
-        "narHash": "sha256-jPDDlY2thQgJqY8I3Ef3QeojHci7UikMjMVZ5P7pjt4=",
+        "narHash": "sha256-ZtoeXTzQ52wn8chX/0PsLCFuc32m5zpDJpPdpWlrxwU=",
         "ref": "userdata",
-        "rev": "2bdb73d348d1a8b85a71aa480ab1c08fafb2c9ba",
+        "rev": "789a1c579c5c8f2431cff2baed45713ab791ca7c",
-        "revCount": 1044,
+        "revCount": 1046,
         "type": "git",
         "url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
       },

flake.nix

@@ -24,20 +24,28 @@
             hardware-configuration
             deployment
             ./configuration.nix
-            (import ./files.nix top-level-flake.outPath)
             selfprivacy-api.nixosModules.default
             {
               # pass userdata (parsed from JSON) options to selfprivacy module
               selfprivacy = userdata;
+
               # embed top-level flake source folder into the build
               environment.etc."selfprivacy/nixos-config-source".source =
-                top-level-flake.outPath;
+                top-level-flake;
+
               # for running "nix search nixpkgs", etc
               nix.registry.nixpkgs.flake = nixpkgs;
+
               # embed commit sha1 for `nixos-version --configuration-revision`
               system.configurationRevision = self.rev
                 or "@${self.lastModifiedDate}"; # for development
               # TODO assertion to forbid dirty builds caused by top-level-flake
+
+              # reset contents of /etc/nixos to match running NixOS generation
+              system.activationScripts.selfprivacy-nixos-config-source = ''
+                rm -rf /etc/nixos/{*,.[!.]*}
+                cp -r --no-preserve=all ${top-level-flake}/ -T /etc/nixos/
+              '';
             }
           ]
           ++

letsencrypt/acme.nix

@@ -1,6 +1,18 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.selfprivacy;
+  dnsCredentialsTemplates = {
+    DIGITALOCEAN = "DO_AUTH_TOKEN=$TOKEN";
+    CLOUDFLARE = ''
+      CF_API_KEY=$TOKEN
+      CLOUDFLARE_DNS_API_TOKEN=$TOKEN
+      CLOUDFLARE_ZONE_API_TOKEN=$TOKEN
+    '';
+    DESEC = "DESEC_TOKEN=$TOKEN";
+  };
+  dnsCredentialsTemplate = dnsCredentialsTemplates.${cfg.dns.provider};
+  acme-env-filepath = "/var/lib/selfprivacy/acme-env";
+  secrets-filepath = "/etc/selfprivacy/secrets.json";
 in
 {
   users.groups.acmereceivers.members = [ "nginx" ];
@@ -18,8 +30,26 @@ in
         extraDomainNames = [ "${cfg.domain}" ];
         group = "acmereceivers";
         dnsProvider = lib.strings.toLower cfg.dns.provider;
-        credentialsFile = "/var/lib/cloudflare/Credentials.ini";
+        credentialsFile = acme-env-filepath;
       };
     };
   };
+  systemd.services.acme-secrets = {
+    before = [ "acme-${cfg.domain}.service" ];
+    requiredBy = [ "acme-${cfg.domain}.service" ];
+    serviceConfig.Type = "oneshot";
+    path = with pkgs; [ coreutils jq ];
+    script = ''
+      set -o nounset
+
+      TOKEN="$(jq -re '.dns.apiKey' ${secrets-filepath})"
+      filecontents=$(cat <<- EOF
+      ${dnsCredentialsTemplate}
+      EOF
+      )
+
+      install -m 0440 -o root -g acmereceivers -DT \
+      <(printf "%s\n" "$filecontents") ${acme-env-filepath}
+    '';
+  };
 }

selfprivacy-module.nix

@@ -12,7 +12,8 @@ with lib;
       description = ''
         Domain used by the server
       '';
-      type = types.nullOr types.str;
+      # see: https://regexr.com/7p7ep, https://stackoverflow.com/a/26987741
+      type = lib.types.strMatching ''^(xn--)?[a-z0-9][a-z0-9_-]{0,61}[a-z0-9]{0,1}\.(xn--)?([a-z0-9\-]{1,61}|[a-z0-9-]{1,30}\.[a-z]{2,})$'';
     };
     timezone = mkOption {
       description = ''
@@ -33,13 +34,6 @@ with lib;
         type = types.nullOr types.bool;
       };
     };
-    stateVersion = mkOption {
-      description = ''
-        State version of the server
-      '';
-      type = types.str;
-      default = "22.11";
-    };
     ########################
     # Server admin options #
     ########################
@@ -62,27 +56,8 @@ with lib;
       type = types.nullOr (types.listOf types.str);
       default = [ ];
     };
-    ###############
-    # API options #
-    ###############
-    api = {
-      enableSwagger = mkOption {
-        default = true;
-        description = ''
-          Enable Swagger UI
-        '';
-        type = types.bool;
-      };
-      skippedMigrations = mkOption {
-        default = [ ];
-        description = ''
-          List of migrations that should be skipped
-        '';
-        type = types.listOf types.str;
-      };
-    };
     #############
-    #  Secrets  #
+    #    DNS    #
     #############
     dns = {
       provider = mkOption {
@@ -95,17 +70,10 @@ with lib;
         default = false;
       };
     };
-    backup = {
-      bucket = mkOption {
-        description = "Bucket name used for userdata backups";
-        type = types.nullOr types.str;
-        default = "";
-      };
-    };
     server = {
       provider = mkOption {
         description = "Server provider that was defined at the initial setup process.";
-        type = types.nullOr types.str;
+        type = types.str;
       };
     };
     #########