From 2c3032c64291b23aaa30c0ade9c26aea3b32fe02 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Fri, 11 Mar 2022 18:55:56 +0100
Subject: [PATCH] secrets: move paperless secrets to agenix

---
 hosts/poseidon/default.nix                   |   2 ++
 hosts/poseidon/secrets.nix                   |   3 +++
 modules/secrets/paperless/admin-password.age |   8 +++++++
 modules/secrets/paperless/secret-key.age     | Bin 0 -> 418 bytes
 modules/secrets/secrets.nix                  |   3 +++
 secrets/default.nix                          |   1 -
 secrets/paperless/admin-password.secret      | Bin 87 -> 0 bytes
 secrets/paperless/default.nix                |  10 --------
 secrets/paperless/secret-key-file.secret     | Bin 151 -> 0 bytes
 services/paperless.nix                       |  23 +++++++++++++++----
 10 files changed, 34 insertions(+), 16 deletions(-)
 create mode 100644 modules/secrets/paperless/admin-password.age
 create mode 100644 modules/secrets/paperless/secret-key.age
 delete mode 100644 secrets/paperless/admin-password.secret
 delete mode 100644 secrets/paperless/default.nix
 delete mode 100644 secrets/paperless/secret-key-file.secret
diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix
index f978345..58bdee3 100644
--- a/hosts/poseidon/default.nix
+++ b/hosts/poseidon/default.nix
@@ -127,6 +127,8 @@ in
     paperless = {
       enable = true;
       port = 8085;
+      passwordFile = config.age.secrets."paperless/admin-password".path;
+      secretKeyFile = config.age.secrets."paperless/secret-key".path;
     };
 
     postgresql-backup = {
diff --git a/hosts/poseidon/secrets.nix b/hosts/poseidon/secrets.nix
index ae5ba11..ada3ee4 100644
--- a/hosts/poseidon/secrets.nix
+++ b/hosts/poseidon/secrets.nix
@@ -23,6 +23,9 @@
             owner = "nextcloud";
           };
 
+          "paperless/admin-password" = {};
+          "paperless/secret-key" = {};
+
           "restic-backup/poseidon-credentials" = {};
           "restic-backup/poseidon-password" = {};
 
diff --git a/modules/secrets/paperless/admin-password.age b/modules/secrets/paperless/admin-password.age
new file mode 100644
index 0000000..9974501
--- /dev/null
+++ b/modules/secrets/paperless/admin-password.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 z6Eu8Q cKvo+xxPeYdCpJZgcN7Yo8x4zxqKL+08LjQip00NR1M
+nLEraZgmUlMjNfF4SZ3DRTRENC3/5L02KFMjLWQcDkk
+-> BA-grease "TTy
+LVWJdA/Rht1hzx5ezY0+4JxHDPtyveBBmrZ/sIN6RFC9Y7Xb875Z+Se/YYcI9unf
+RZcSrVU
+--- TT+H8/aMObjfwOga2VeDrifPmttTdle97PFZL/H6b0w
+<2˜Ùf½’!¿˜ðžÁý‘Ì´t™X+·¬Q•¾Œ¯ÍïLP‚Ùñû;ø×w‘‘öY¼Õx-ˆ™4—Ó‰ùé8¦ ïL¹åÐ„×Öæ¿òÕ:…lõÆ(«¹‘•.
\ No newline at end of file
diff --git a/modules/secrets/paperless/secret-key.age b/modules/secrets/paperless/secret-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..0529df8bcf8381dcb0df2fd5430b5373244b0140
GIT binary patch
literal 418
zcmV;T0bTxKXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LdNxIMI8h*2
zXlq(|RY^i+Q*={dS!7d3IZIDNId^bnMQdbuLN!u0M@uVXN@q%Kc`yn#YDZ;QWMfz~
za5+s;HaJW|HcxFuLuXiPLs&UkWpqtiWlbw|dTmTXL~{x)J|IakF*`pkXL4m>b7cxI
zMlWJ{MoU5~YGP+@GkQ37S#2>*N-ubAPE%5NbY?G7QDQMhRa7!ccwuW(M?q{wIZHK3
zHbH4nY*<waEiEk|SSv>~XmMjpc|%Jyc|%V%L`qgfcuGuGLPa?>FiS5mcV%O5a&dP=
zY*lv(4uZK4_t#BEpEmPHQ60~-)>dnj&eGd1<nZ&Nu>lMTz!Nsl$2kJsU)dzo@?jt&
zh=i|C>&1RCv4ywQE(hNv)0jCR5@g*p?f4k)u1`(X^#I~}(q%|sG0d){2Px_&ingVR
z@6v&VdDHyq?#^AJG<7S;mn$kBq&LJf8ft)d1yP`Na++&<TZR>pcPByE$PeaCEi?cW
MOdyKo_1+=?rYGB=B>(^b

literal 0
HcmV?d00001

diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 2256b94..9aa0e53 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -21,6 +21,9 @@ in
 
   "nextcloud/admin-pass.age".publicKeys = [ poseidon ];
 
+  "paperless/admin-password.age".publicKeys = [ poseidon ];
+  "paperless/secret-key.age".publicKeys = [ poseidon ];
+
   "restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ];
   "restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ];
   "restic-backup/poseidon-password.age".publicKeys = [ alarsyo poseidon ];
diff --git a/secrets/default.nix b/secrets/default.nix
index caa0d32..5b4ab4a 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -10,6 +10,5 @@ in {
   };
 
   config.my.secrets = {
-    paperless = import ./paperless { inherit lib; };
   };
 }
diff --git a/secrets/paperless/admin-password.secret b/secrets/paperless/admin-password.secret
deleted file mode 100644
index e8111fc9ea28556e37773cbec45b9a3f61b4118f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 87
zcmV-d0I2@}M@dveQdv+`00A9Baq((8KdvUdH2<VCw0=Qem<DM2J+J?dR)<jdd8HWw
tly`rTrhu>**?KY^P;ZVk>*pmd>$YVT`QwN;;SeOg8=l)G@{d_g@SZquC#nDd

diff --git a/secrets/paperless/default.nix b/secrets/paperless/default.nix
deleted file mode 100644
index 69c4008..0000000
--- a/secrets/paperless/default.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ lib }:
-let
-  inherit (lib)
-    fileContents
-  ;
-in
-{
-  secretKey = fileContents ./secret-key-file.secret;
-  adminPassword = fileContents ./admin-password.secret;
-}
diff --git a/secrets/paperless/secret-key-file.secret b/secrets/paperless/secret-key-file.secret
deleted file mode 100644
index 1f447d4d4e63202dfa9a7aa672ec3da4e9608db2..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 151
zcmV;I0BHXJM@dveQdv+`0JGs>o5k!=WhU&LHozG%$M={|C_KH;@e4!KlFx20way@g
zD~LI{4wb>gBXDPrTo*9If%F_u$UeAuSUGWV^(NyDtv3*7oL2VxK<?~@{e*(PwS+2M
zbc@6{P5f%bF&~Q8O__*SN|R_(g!<gt*((eFHyP)V02he>z{U2;E&A<?^|Gm?Z$DFs
FXxL?aOQHY(

diff --git a/services/paperless.nix b/services/paperless.nix
index 142ee13..7db2019 100644
--- a/services/paperless.nix
+++ b/services/paperless.nix
@@ -11,7 +11,6 @@ let
   my = config.my;
   domain = config.networking.domain;
   paperlessDomain = "paperless.${domain}";
-  secretKeyFile = pkgs.writeText "paperless-secret-key-file.env" my.secrets.paperless.secretKey;
 in
 {
   options.my.services.paperless = let inherit (lib) types; in {
@@ -23,13 +22,27 @@ in
       example = 8080;
       description = "Internal port for Paperless service";
     };
+
+    passwordFile = mkOption {
+      type = types.path;
+      description = ''
+        Path to a file containing the admin's password
+      '';
+    };
+
+    secretKeyFile = mkOption {
+      type = types.path;
+      description = ''
+        Path to a file containing the service's secret key
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
     services.paperless-ng = {
       enable = true;
       port = cfg.port;
-      passwordFile = pkgs.writeText "paperless-password-file.txt" config.my.secrets.paperless.adminPassword;
+      passwordFile = cfg.passwordFile;
       extraConfig = {
         # Postgres settings
         PAPERLESS_DBHOST = "/run/postgresql";
@@ -53,17 +66,17 @@ in
 
     systemd.services = {
       paperless-ng-server.serviceConfig = {
-        EnvironmentFile = secretKeyFile;
+        EnvironmentFile = cfg.secretKeyFile;
         BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
       };
 
       paperless-ng-consumer.serviceConfig = {
-        EnvironmentFile = secretKeyFile;
+        EnvironmentFile = cfg.secretKeyFile;
         BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
       };
 
       paperless-ng-web.serviceConfig = {
-        EnvironmentFile = secretKeyFile;
+        EnvironmentFile = cfg.secretKeyFile;
         BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
       };
     };
