feat: move to agenix secrets

2025-06-08 10:09:04 +02:00 · 2024-05-09 00:48:35 +02:00 · 2024-05-09 00:48:35 +02:00 · 8ee88f922c
commit 8ee88f922c
parent e392ca9001
11 changed files with 214 additions and 253 deletions
--- a/modules/buildbot/default.nix
+++ b/modules/buildbot/default.nix
@ -1,4 +1,4 @@
-{ lib, pkgs, config, ... }:
+{ lib, config, ... }:
 with lib;
 let
  cfg = config.luj.buildbot;
@ -14,12 +14,15 @@ in
    services.buildbot-nix.master = {
      enable = true;
      domain = "ci.julienmalka.me";
-      workersFile = config.sops.secrets.buildbot-nix-workers.path;
-      buildSystems = [ "x86_64-linux" "aarch64-linux" ];
+      workersFile = config.age.secrets.buildbot-nix-workers.path;
+      buildSystems = [
+        "x86_64-linux"
+        "aarch64-linux"
+      ];
      github = {
-        tokenFile = config.sops.secrets.github-token.path;
-        webhookSecretFile = config.sops.secrets.github-webhook-secret.path;
-        oauthSecretFile = config.sops.secrets.github-oauth-secret.path;
+        tokenFile = config.age.secrets.github-token.path;
+        webhookSecretFile = config.age.secrets.github-webhook-secret.path;
+        oauthSecretFile = config.age.secrets.github-oauth-secret.path;
        oauthId = "bba3e144501aa5b8a5dd";
        user = "JulienMalka";
        admins = [ "JulienMalka" ];
@ -33,37 +36,21 @@ in
      enableACME = true;
    };

-    sops.secrets = {
-      github-token = {
-        format = "binary";
-        sopsFile = ../../secrets/github-token-secret;
-      };
-      github-webhook-secret = {
-        format = "binary";
-        sopsFile = ../../secrets/github-webhook-secret;
-      };
-      github-oauth-secret = {
-        format = "binary";
-        sopsFile = ../../secrets/github-oauth-secret;
-      };
-      buildbot-nix-workers = {
-        format = "binary";
-        sopsFile = ../../secrets/buildbot-nix-workers;
+    age.secrets = {
+      github-token.file = ../../secrets/github-token-secret.age;
+      github-webhook-secret.file = ../../secrets/github-webhook-secret.age;
+      github-oauth-secret.file = ../../secrets/github-oauth-secret.age;
+      buildbot-nix-workers.file = ../../secrets/buildbot-nix-workers.age;
+      buildbot-nix-worker-password = {
+        file = ../../secrets/buildbot-nix-worker-password.age;
+        owner = "buildbot-worker";
      };
    };

    systemd.services.buildbot-worker.environment.WORKER_COUNT = "14";
    services.buildbot-nix.worker = {
      enable = true;
-      workerPasswordFile = config.sops.secrets.buildbot-nix-worker-password.path;
+      workerPasswordFile = config.age.secrets.buildbot-nix-worker-password.path;
    };
-
-    sops.secrets.buildbot-nix-worker-password = {
-      format = "binary";
-      owner = "buildbot-worker";
-      sopsFile = ../../secrets/buildbot-nix-worker-password;
-    };
-
  };
 }
-
--- a/modules/deluge/default.nix
+++ b/modules/deluge/default.nix
@ -22,19 +22,15 @@ in
    };

    nginx.enable = mkEnableOption "activate nginx";
-    nginx.subdomain = mkOption {
-      type = types.str;
-    };
-
+    nginx.subdomain = mkOption { type = types.str; };
  };

-  config = mkIf cfg.enable (
-    mkMerge [{
+  config = mkIf cfg.enable (mkMerge [
+    {

-      sops.secrets.deluge = {
+      age.secrets.deluge-webui-password = {
        owner = cfg.user;
-        format = "binary";
-        sopsFile = ../../secrets/deluge-login;
+        file = ../../secrets/deluge-webui-password.age;
      };

      services.deluge = {
@ -42,21 +38,16 @@ in
        inherit (cfg) user group;
        openFirewall = true;
        declarative = true;
-        authFile = "/run/secrets/deluge";
+        authFile = "/run/agenix/deluge-webui-password";
        web.enable = true;
        config = {
          download_location = "/home/mediaserver/downloads/complete/";
          allow_remote = true;
        };
        dataDir = "/home/mediaserver/deluge";
-
      };
    }

-
-
-      (mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port))]);
-
-
-
+    (mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port))
+  ]);
 }
--- a/modules/mailserver/default.nix
+++ b/modules/mailserver/default.nix
@ -8,45 +8,45 @@ with lib;
    enable = mkEnableOption "Enable mailserver";
  };

-  config = mkIf cfg.enable
-    {
-      mailserver = {
-        enable = true;
-        fqdn = "mail.julienmalka.me";
-        domains = [ "malka.sh" "ens.school" ];
+  config = mkIf cfg.enable {
+    mailserver = {
+      enable = true;
+      fqdn = "mail.julienmalka.me";
+      domains = [
+        "malka.sh"
+        "ens.school"
+      ];

-        enableManageSieve = true;
-
-        # A list of all login accounts. To create the password hashes, use
-        # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
-        loginAccounts = {
-          "julien@malka.sh" = {
-            hashedPasswordFile = "/run/secrets/malkash-pw";
-            aliases = [ "@malka.sh" ];
-            sieveScript = builtins.readFile ./malka-sh.sieve;
-          };
-          "julien.malka@ens.school" = {
-            hashedPasswordFile = "/run/secrets/ensmailmalka-pw";
-          };
-          "camille.mondon@ens.school" = {
-            hashedPasswordFile = "/run/secrets/ensmailmondon-pw";
-          };
+      enableManageSieve = true;

+      # A list of all login accounts. To create the password hashes, use
+      # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
+      loginAccounts = {
+        "julien@malka.sh" = {
+          hashedPasswordFile = "/run/agenix/malkash-pw";
+          aliases = [ "@malka.sh" ];
+          sieveScript = builtins.readFile ./malka-sh.sieve;
        };
-        extraVirtualAliases = {
-          "postmaster@ens.school" = "julien.malka@ens.school";
+        "julien.malka@ens.school" = {
+          hashedPasswordFile = "/run/agenix/ensmailmalka-pw";
+        };
+        "camille.mondon@ens.school" = {
+          hashedPasswordFile = "/run/agenix/ensmailmondon-pw";
        };
-        certificateScheme = "acme-nginx";
      };
-
-      services.roundcube = {
-        enable = true;
-        hostName = "webmail.julienmalka.me";
+      extraVirtualAliases = {
+        "postmaster@ens.school" = "julien.malka@ens.school";
      };
-
-      sops.secrets.malkash-pw = { };
-      sops.secrets.ensmailmalka-pw = { };
-      sops.secrets.ensmailmondon-pw = { };
-
+      certificateScheme = "acme-nginx";
    };
+
+    services.roundcube = {
+      enable = true;
+      hostName = "webmail.julienmalka.me";
+    };
+
+    age.secrets.malkash-pw.file = ../../secrets/julien-malka-sh-mail-password.age;
+    age.secrets.ensmailmalka-pw.file = ../../secrets/malka-ens-school-mail-password.age;
+    age.secrets.ensmailmondon-pw.file = ../../secrets/mondon-ens-school-mail-password.age;
+  };
 }
--- a/modules/navidrome/default.nix
+++ b/modules/navidrome/default.nix
@ -1,4 +1,9 @@
-{ lib, pkgs, config, ... }:
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
 with lib;
 let
  cfg = config.luj.navidrome;
@ -22,23 +27,12 @@ in
      description = "Group under which Navidrome runs.";
    };

-
    nginx.enable = mkEnableOption "activate nginx";
-    nginx.subdomain = mkOption {
-      type = types.str;
-    };
+    nginx.subdomain = mkOption { type = types.str; };
  };

-  config = mkIf cfg.enable (
-    mkMerge [{
-
-      sops.secrets."navidrome.json" = {
-        owner = cfg.user;
-        format = "binary";
-        sopsFile = ../../secrets/navidrome-config;
-      };
-
-
+  config = mkIf cfg.enable (mkMerge [
+    {

      systemd.services.navidrome = {

@ -55,16 +49,10 @@ in
          WorkingDirectory = "/var/lib/navidrome";
        };
      };
-
-
-
    }

+    (mkIf cfg.nginx.enable (mkSubdomain cfg.nginx.subdomain port))

-
-      (mkIf cfg.nginx.enable (mkSubdomain cfg.nginx.subdomain port))
-
-      (mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port))]);
-
-
+    (mkIf cfg.nginx.enable (mkVPNSubdomain cfg.nginx.subdomain port))
+  ]);
 }
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@ -8,24 +8,19 @@ with lib;
    enable = mkEnableOption "Create secrets";
  };

-  config = mkIf cfg.enable
-    {
-      sops.secrets.ens-mail-passwd = {
-        owner = "julien";
-        path = "/home/julien/.config/ens-mail-passwd";
-      };
-
-      sops.secrets.sendinblue-mail-passwd = { };
-      sops.secrets.git-gpg-private-key = {
-        owner = "julien";
-        mode = "0440";
-        group = config.users.groups.keys.name;
-        sopsFile = ../secrets/git-gpg-private-key;
-        format = "binary";
-      };
-
+  config = mkIf cfg.enable {

+    age.secrets.ens-mail-password = {
+      file = ../../secrets/ens-mail-password.age;
+      owner = "julien";
+      path = "/home/julien/.config/ens-mail-passwd";
    };

-
+    age.secrets.git-gpg-private-key = {
+      file = ../../secrets/git-gpg-private-key.age;
+      owner = "julien";
+      mode = "0440";
+      group = config.users.groups.keys.name;
+    };
+  };
 }