many changes, hopefully 100% pure now

services/mailserver.nix

@@ -1,4 +1,6 @@
 {config, ...}: {
+  age.secrets."bind_pw".file = ../secrets/bind_pw;
+
   mailserver = {
     stateVersion = 3;
     enable = true;

services/prosody.nix

@@ -3,7 +3,7 @@
   config,
   ...
 }: {
-  age.secrets."bind_pw".file = ../secrets/bind_pw;
+  age.secrets."prosody.env".file = ../secrets/prosody.env;
 
   services = {
     prosody = {
@@ -30,7 +30,7 @@
         ldap_base = "ou=people,dc=distrust,dc=network"
         ldap_server = "localhost:3890"
         ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
-        ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}"
+        ldap_password = os.getenv("LDAP_BIND_PASSWORD")
       '';
     };
     caddy.virtualHosts."distrust.network".extraConfig = ''
@@ -72,9 +72,6 @@
   networking.firewall.allowedTCPPorts = [5222 5269 5281 5000];
 
   systemd.services.caddy.serviceConfig.SupplementaryGroups = ["acme"];
-  systemd.services.prosody = {
-    #  requires = [ "acme-order-renew-chat.distrust.network.service" ];
-    #  after = [ "acme-order-renew-chat.distrust.network.service" ];
-    serviceConfig.SupplementaryGroups = ["acme"];
-  };
+  systemd.services.prosody.serviceConfig.SupplementaryGroups = ["acme"];
+  systemd.services.prosody.serviceConfig.EnvironmentFile = config.age.secrets."prosody.env".path;
 }