secrets: move gandi api key to agenix

hosts/poseidon/secrets.nix

@@ -9,6 +9,8 @@
         } // attrs;
       in
         lib.mapAttrs toSecret {
+          "gandi/api-key" = {};
+
           "users/alarsyo-hashed-password" = {};
           "users/root-hashed-password" = {};
         };

modules/secrets/gandi/api-key.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 z6Eu8Q Z6nxu/Aj6YiouSwaHKO9o/VjDwkFeg1aUpxWDH0zYUc
+nN/e7E4mRe0u6r845FlT9QPYTAAoG7YQZY+igYNNd7Y
+-> LZ-grease 7/44AQ]n H&}_^ hIg#2Ic :cyUJma
+cyKzugByeYVVqVRXfi/a7RkreaM9vVNw8z1Jn+MaLZs1paE44QEe2Y2bsXA9tmai
+GSfOFlOBv82/Jhlc7xUK5w6RxgIBdmxtpEfRaUw
+--- jnsdwFTZU4wzsxo0piNFBchQtCuFQohGALt42YukeVA
+˜7wO˜ƒp8Òˆeu!¡Cbì
BRïî·­zI×<49>Nìô•?C	<09>éýW›õ[kG½ƒslãöÀZGÿØì™üÝ9nðL

modules/secrets/secrets.nix

@@ -11,6 +11,8 @@ let
   all = users ++ machines;
 in
 {
+  "gandi/api-key.age".publicKeys = [ poseidon ];
+
   "restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ];
   "restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ];
   "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];

secrets/default.nix

@@ -15,7 +15,6 @@ in {
     nextcloud-admin-pass = ./nextcloud-admin-pass.secret;
     nextcloud-admin-user = fileContents ./nextcloud-admin-user.secret;
     lohr-shared-secret = fileContents ./lohr-shared-secret.secret;
-    gandiKey = fileContents ./gandi-api-key.secret;
 
     borg-backup = import ./borg-backup { inherit lib; };
     paperless = import ./paperless { inherit lib; };

services/nginx.nix

@@ -54,7 +54,7 @@ in
           "${domain}" = {
             extraDomainNames = [ "*.${domain}" ];
             dnsProvider = "gandiv5";
-            credentialsFile = pkgs.writeText "gandi-creds.env" gandiKey;
+            credentialsFile = config.age.secrets."gandi/api-key".path;
             group = "nginx";
           };
         };