feat: move to agenix secrets

2025-06-08 18:09:06 +02:00 · 2024-05-09 00:48:35 +02:00 · 2024-05-09 00:48:35 +02:00 · 8ee88f922c
commit 8ee88f922c
parent e392ca9001
11 changed files with 214 additions and 253 deletions
--- a/modules/mailserver/default.nix
+++ b/modules/mailserver/default.nix
@ -8,45 +8,45 @@ with lib;
    enable = mkEnableOption "Enable mailserver";
  };

-  config = mkIf cfg.enable
-    {
-      mailserver = {
-        enable = true;
-        fqdn = "mail.julienmalka.me";
-        domains = [ "malka.sh" "ens.school" ];
+  config = mkIf cfg.enable {
+    mailserver = {
+      enable = true;
+      fqdn = "mail.julienmalka.me";
+      domains = [
+        "malka.sh"
+        "ens.school"
+      ];

-        enableManageSieve = true;
-
-        # A list of all login accounts. To create the password hashes, use
-        # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
-        loginAccounts = {
-          "julien@malka.sh" = {
-            hashedPasswordFile = "/run/secrets/malkash-pw";
-            aliases = [ "@malka.sh" ];
-            sieveScript = builtins.readFile ./malka-sh.sieve;
-          };
-          "julien.malka@ens.school" = {
-            hashedPasswordFile = "/run/secrets/ensmailmalka-pw";
-          };
-          "camille.mondon@ens.school" = {
-            hashedPasswordFile = "/run/secrets/ensmailmondon-pw";
-          };
+      enableManageSieve = true;

+      # A list of all login accounts. To create the password hashes, use
+      # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
+      loginAccounts = {
+        "julien@malka.sh" = {
+          hashedPasswordFile = "/run/agenix/malkash-pw";
+          aliases = [ "@malka.sh" ];
+          sieveScript = builtins.readFile ./malka-sh.sieve;
        };
-        extraVirtualAliases = {
-          "postmaster@ens.school" = "julien.malka@ens.school";
+        "julien.malka@ens.school" = {
+          hashedPasswordFile = "/run/agenix/ensmailmalka-pw";
+        };
+        "camille.mondon@ens.school" = {
+          hashedPasswordFile = "/run/agenix/ensmailmondon-pw";
        };
-        certificateScheme = "acme-nginx";
      };
-
-      services.roundcube = {
-        enable = true;
-        hostName = "webmail.julienmalka.me";
+      extraVirtualAliases = {
+        "postmaster@ens.school" = "julien.malka@ens.school";
      };
-
-      sops.secrets.malkash-pw = { };
-      sops.secrets.ensmailmalka-pw = { };
-      sops.secrets.ensmailmondon-pw = { };
-
+      certificateScheme = "acme-nginx";
    };
+
+    services.roundcube = {
+      enable = true;
+      hostName = "webmail.julienmalka.me";
+    };
+
+    age.secrets.malkash-pw.file = ../../secrets/julien-malka-sh-mail-password.age;
+    age.secrets.ensmailmalka-pw.file = ../../secrets/malka-ens-school-mail-password.age;
+    age.secrets.ensmailmondon-pw.file = ../../secrets/mondon-ens-school-mail-password.age;
+  };
 }