m 2 *: s,/root/secrets,<secrets>,

1 files changed, 9 insertions, 5 deletions

diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix
index fb170957..123ae3cf 100644
--- a/makefu/2configs/bepasty-dual.nix
+++ b/makefu/2configs/bepasty-dual.nix
@@ -11,7 +11,11 @@
 #   bepasty-secret.nix     <- contains single string
 
 with lib;
-{
+let
+  sec = toString <secrets>;
+  # secKey is nothing worth protecting on a local machine
+  secKey = import <secrets/bepasty-secret.nix>;
+in {
 
   krebs.nginx.enable = mkDefault true;
   krebs.bepasty = {
@@ -24,7 +28,7 @@ with lib;
           server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
         };
         defaultPermissions = "admin,list,create,read,delete";
-        secretKey = import <secrets/bepasty-secret.nix>;
+        secretKey = secKey;
       };
 
       external = {
@@ -33,8 +37,8 @@ with lib;
           extraConfig = ''
           ssl_session_cache    shared:SSL:1m;
           ssl_session_timeout  10m;
-          ssl_certificate     /root/secrets/wildcard.krebsco.de.crt;
-          ssl_certificate_key /root/secrets/wildcard.krebsco.de.key;
+          ssl_certificate     ${sec}/wildcard.krebsco.de.crt;
+          ssl_certificate_key ${sec}/wildcard.krebsco.de.key;
           ssl_verify_client off;
           proxy_ssl_session_reuse off;
           ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
@@ -45,7 +49,7 @@ with lib;
           }'';
         };
         defaultPermissions = "read";
-        secretKey = import <secrets/bepasty-secret.nix>;
+        secretKey = secKey;
       };
     };
   };