bgt/hidden_service: rewrite to use sops

1 files changed, 11 insertions, 26 deletions

diff --git a/2configs/bgt/hidden_service.nix b/2configs/bgt/hidden_service.nix
index 56d319e39..5c997336d 100644
--- a/2configs/bgt/hidden_service.nix
+++ b/2configs/bgt/hidden_service.nix
@@ -3,35 +3,20 @@
 with lib;
 let
   name = "bgt_cyberwar_hidden_service";
-  sec = (toString <secrets>) + "/";
-  secdir = sec + name;
   srvdir = "/var/lib/tor/onion/";
-  basedir = srvdir + name;
-  hn = builtins.readFile (secdir + "/hostname");
 in
-{
-  systemd.services.prepare-hidden-service = {
-    wantedBy = [ "local-fs.target" ];
-    before = [ "tor.service" ];
-    serviceConfig = {
-      ExecStart = pkgs.writeScript "prepare-euer-blog-service" ''
-        #!/bin/sh
-        set -euf
-        if ! test -d "${basedir}" ;then
-          mkdir -p "${srvdir}"
-          cp -r "${secdir}" "${srvdir}"
-          chown -R tor:tor "${srvdir}"
-          chmod -R 700 "${basedir}"
-        else
-          echo "not overwriting ${basedir}"
-        fi
-      '';
-      Type = "oneshot";
-      RemainAfterExit = "yes";
-      TimeoutSec = "0";
-    };
+  {
+  sops.secrets."bgt_cyberwar_hidden_service/private_key" = {
+    path = "${srvdir}/${name}/private_key";
+    owner = "tor";
+    restartUnits = [ "tor.service" ];
   };
-  services.nginx.virtualHosts."${hn}".locations."/" = {
+  sops.secrets."bgt_cyberwar_hidden_service/hostname" = {
+    path = "${srvdir}/${name}/hostname";
+    owner = "tor";
+    restartUnits = [ "tor.service" ];
+  };
+  services.nginx.virtualHosts."cyberwar62fmmhe4.onion".locations."/" = {
     proxyPass = "https://blog.binaergewitter.de";
     extraConfig = ''
         proxy_set_header  Host blog.binaergewitter.de;