diff --git a/secrets/esphome/password.age b/secrets/esphome/password.age new file mode 100644 index 0000000..f019c65 --- /dev/null +++ b/secrets/esphome/password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 OAZQhA uLCR0Zvyg977i434S/9gNQgJwxxB9h5VEweoLoLokjI +YZoG0t/cZtbcRQCw1Xmb1liusNhvI98Et3D8l/PcSGo +-> ssh-ed25519 72ij7w S2go+bzLLz0+b7hRvXHsWi9K7vP720Dlqz6BoFa48xw +hqOtZhDTByyffHiR83DnJg4UwbavmDjg3xPD8awHsXE +-> o2.MQQ-grease ;qEW KxG{ :bMg*Y + +--- PXilrtuv+2zysnIdq3AYNlmoFhm+9GyHenWoMih3jq8 +AAuÆн–<YDc8μí±ëºßˆ;—åA›â‡fMèM§é9¨ô|Ç::[[e¼NÊô%x&„ͨj{²žò$KÆØõ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 7ad43a9..18a8b8d 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -37,4 +37,5 @@ in { # home-server "home-server/hostKey.age".publicKeys = [ felschr home-server ]; "hass/secrets.age".publicKeys = [ felschr home-server ]; + "esphome/password.age".publicKeys = [ felschr home-server ]; } diff --git a/services/esphome.nix b/services/esphome.nix index d9066d1..f4480d4 100644 --- a/services/esphome.nix +++ b/services/esphome.nix @@ -5,7 +5,10 @@ with pkgs; let port = 6052; inherit (config.services.home-assistant) configDir; + passwordFile = config.age.secrets.esphome-password.path; in { + age.secrets.esphome-password.file = ../secrets/esphome/password.age; + services.nginx = { virtualHosts."esphome.felschr.com" = { enableACME = true; @@ -21,12 +24,10 @@ in { description = "ESPHome"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = "hass"; - Group = "hass"; - Restart = "on-failure"; - WorkingDirectory = configDir; - ExecStart = "${pkgs.esphome}/bin/esphome dashboard ${configDir}/esphome"; - }; + serviceConfig.LoadCredential = [ "password:${passwordFile}" ]; + script = '' + password="$(<"$CREDENTIALS_DIRECTORY/password")" + ${pkgs.esphome}/bin/esphome dashboard ${configDir}/esphome --password "$password" + ''; }; }