fix(esphome): secure dashboard with password

secrets/esphome/password.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA uLCR0Zvyg977i434S/9gNQgJwxxB9h5VEweoLoLokjI
+YZoG0t/cZtbcRQCw1Xmb1liusNhvI98Et3D8l/PcSGo
+-> ssh-ed25519 72ij7w S2go+bzLLz0+b7hRvXHsWi9K7vP720Dlqz6BoFa48xw
+hqOtZhDTByyffHiR83DnJg4UwbavmDjg3xPD8awHsXE
+-> o2.MQQ-grease ;qEW KxG{ :bMg*Y
+
+--- PXilrtuv+2zysnIdq3AYNlmoFhm+9GyHenWoMih3jq8
+AAuÆн–<YDc8μí±ëºßˆ;—åA›<41>â‡fMèM§é9¨ô|Ç::[[e¼NÊô%x&„ͨj{²žò$KÆØõ

secrets/secrets.nix

@@ -37,4 +37,5 @@ in {
   # home-server
   "home-server/hostKey.age".publicKeys = [ felschr home-server ];
   "hass/secrets.age".publicKeys = [ felschr home-server ];
+  "esphome/password.age".publicKeys = [ felschr home-server ];
 }

services/esphome.nix

@@ -5,7 +5,10 @@ with pkgs;
 let
   port = 6052;
   inherit (config.services.home-assistant) configDir;
+  passwordFile = config.age.secrets.esphome-password.path;
 in {
+  age.secrets.esphome-password.file = ../secrets/esphome/password.age;
+
   services.nginx = {
     virtualHosts."esphome.felschr.com" = {
       enableACME = true;
@@ -21,12 +24,10 @@ in {
     description = "ESPHome";
     after = [ "network.target" ];
     wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      User = "hass";
-      Group = "hass";
-      Restart = "on-failure";
-      WorkingDirectory = configDir;
-      ExecStart = "${pkgs.esphome}/bin/esphome dashboard ${configDir}/esphome";
-    };
+    serviceConfig.LoadCredential = [ "password:${passwordFile}" ];
+    script = ''
+      password="$(<"$CREDENTIALS_DIRECTORY/password")"
+      ${pkgs.esphome}/bin/esphome dashboard ${configDir}/esphome --password "$password"
+    '';
   };
 }