secrets: move paperless secrets to agenix

hosts/poseidon/default.nix

@@ -127,6 +127,8 @@ in
     paperless = {
       enable = true;
       port = 8085;
+      passwordFile = config.age.secrets."paperless/admin-password".path;
+      secretKeyFile = config.age.secrets."paperless/secret-key".path;
     };
 
     postgresql-backup = {

hosts/poseidon/secrets.nix

@@ -23,6 +23,9 @@
             owner = "nextcloud";
           };
 
+          "paperless/admin-password" = {};
+          "paperless/secret-key" = {};
+
           "restic-backup/poseidon-credentials" = {};
           "restic-backup/poseidon-password" = {};
 

modules/secrets/paperless/admin-password.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 z6Eu8Q cKvo+xxPeYdCpJZgcN7Yo8x4zxqKL+08LjQip00NR1M
+nLEraZgmUlMjNfF4SZ3DRTRENC3/5L02KFMjLWQcDkk
+-> BA-grease "TTy
+LVWJdA/Rht1hzx5ezY0+4JxHDPtyveBBmrZ/sIN6RFC9Y7Xb875Z+Se/YYcI9unf
+RZcSrVU
+--- TT+H8/aMObjfwOga2VeDrifPmttTdle97PFZL/H6b0w
+<2˜Ùf½’!¿˜ðžÁý‘Ì´<>t™X+·¬Q•¾Œ<C2BE>¯ÍïLP‚Ùñû;ø×w‘‘öY¼Õx-ˆ™4—Ó‰ùé8¦ ïL¹åЄ×Öæ¿òÕ:…lõÆ(«¹‘•.

modules/secrets/secrets.nix

@@ -21,6 +21,9 @@ in
 
   "nextcloud/admin-pass.age".publicKeys = [ poseidon ];
 
+  "paperless/admin-password.age".publicKeys = [ poseidon ];
+  "paperless/secret-key.age".publicKeys = [ poseidon ];
+
   "restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ];
   "restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ];
   "restic-backup/poseidon-password.age".publicKeys = [ alarsyo poseidon ];

secrets/default.nix

@@ -10,6 +10,5 @@ in {
   };
 
   config.my.secrets = {
-    paperless = import ./paperless { inherit lib; };
   };
 }

secrets/paperless/default.nix

@@ -1,10 +0,0 @@
-{ lib }:
-let
-  inherit (lib)
-    fileContents
-  ;
-in
-{
-  secretKey = fileContents ./secret-key-file.secret;
-  adminPassword = fileContents ./admin-password.secret;
-}

services/paperless.nix

@@ -11,7 +11,6 @@ let
   my = config.my;
   domain = config.networking.domain;
   paperlessDomain = "paperless.${domain}";
-  secretKeyFile = pkgs.writeText "paperless-secret-key-file.env" my.secrets.paperless.secretKey;
 in
 {
   options.my.services.paperless = let inherit (lib) types; in {
@@ -23,13 +22,27 @@ in
       example = 8080;
       description = "Internal port for Paperless service";
     };
+
+    passwordFile = mkOption {
+      type = types.path;
+      description = ''
+        Path to a file containing the admin's password
+      '';
+    };
+
+    secretKeyFile = mkOption {
+      type = types.path;
+      description = ''
+        Path to a file containing the service's secret key
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
     services.paperless-ng = {
       enable = true;
       port = cfg.port;
-      passwordFile = pkgs.writeText "paperless-password-file.txt" config.my.secrets.paperless.adminPassword;
+      passwordFile = cfg.passwordFile;
       extraConfig = {
         # Postgres settings
         PAPERLESS_DBHOST = "/run/postgresql";
@@ -53,17 +66,17 @@ in
 
     systemd.services = {
       paperless-ng-server.serviceConfig = {
-        EnvironmentFile = secretKeyFile;
+        EnvironmentFile = cfg.secretKeyFile;
         BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
       };
 
       paperless-ng-consumer.serviceConfig = {
-        EnvironmentFile = secretKeyFile;
+        EnvironmentFile = cfg.secretKeyFile;
         BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
       };
 
       paperless-ng-web.serviceConfig = {
-        EnvironmentFile = secretKeyFile;
+        EnvironmentFile = cfg.secretKeyFile;
         BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
       };
     };