rfq: do not write email password to the Nix store

nixbld-etc-nixos/rfq/src/rfq/__init__.py

@@ -14,6 +14,13 @@ from werkzeug.middleware.proxy_fix import ProxyFix
 
 load_dotenv()
 
+mail_password_file = getenv("FLASK_MAIL_PASSWORD_FILE")
+if mail_password_file is not None:
+    with open(mail_password_file, "r") as f:
+        mail_password = f.read().strip()
+else:
+    mail_password = None
+
 app = Flask(__name__)
 app.config.update(
     DEBUG=getenv("FLASK_DEBUG") == "True",
@@ -22,7 +29,7 @@ app.config.update(
     MAIL_USE_SSL=getenv("FLASK_MAIL_USE_SSL"),
     MAIL_DEBUG=False,
     MAIL_USERNAME=getenv("FLASK_MAIL_USERNAME"),
-    MAIL_PASSWORD=getenv("FLASK_MAIL_PASSWORD"),
+    MAIL_PASSWORD=mail_password,
     MAIL_RECIPIENT=getenv("FLASK_MAIL_RECIPIENT"),
     MAIL_SENDER=getenv("FLASK_MAIL_SENDER")
 )

nixbld-etc-nixos/rfq/uwsgi-config.nix

@@ -11,7 +11,7 @@ in {
     "FLASK_MAIL_PORT=465"
     "FLASK_MAIL_USE_SSL=True"
     "FLASK_MAIL_USERNAME=sysop@m-labs.hk"
-    "FLASK_MAIL_PASSWORD=${import /etc/nixos/secret/sysop_password.nix}"
+    "FLASK_MAIL_PASSWORD_FILE=/etc/nixos/secret/rfqpassword"
     "FLASK_MAIL_RECIPIENT=sales@m-labs.hk"
     "FLASK_MAIL_SENDER=sysop@m-labs.hk"
   ];