secrets: move lohr to agenix

2022-03-11 17:26:54 +01:00 · 2022-03-11 17:26:54 +01:00 · dad068ed6b
parent 3b99096af9
commit dad068ed6b
6 changed files with 13 additions and 3 deletions
--- a/hosts/poseidon/secrets.nix
+++ b/hosts/poseidon/secrets.nix
@ -11,6 +11,8 @@
        lib.mapAttrs toSecret {
          "gandi/api-key" = {};

+          "lohr/shared-secret" = {};
+
          "users/alarsyo-hashed-password" = {};
          "users/root-hashed-password" = {};
        };
--- a/modules/secrets/lohr/shared-secret.age
+++ b/modules/secrets/lohr/shared-secret.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 z6Eu8Q TbYGLV7JbzW40Eo9aNDfirmKXntiJnT60mbbzRLQJX4
+KHbJtr2hsfe7lsZ2VRTo7mWAgi33f8OJiuBDNfnCijE
+-> U}J&0*-grease 0~7egWZ( bN0gqO I[r[CN15
+xL86runL
+--- WrvrFFp0ZtCc0dXhfzaHOiFckW5u6qpm7SLEwgi8cyg
+Æqä¯Q<1E>èI‹‘²º±à[¸E>¤0ÒÀ<C392>Å <20>ôë©ƒ<C2A9>ŒKE<4B>
+›ÏÝUüéA'[Kpa–Žy8fëžÉŠ¾Z©Ã`¤Èö‰q¾7qÁ"„Îz‹C	íI{I!æ\é%€E²qÂ¦y¢ãÒ”3
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -13,6 +13,8 @@ in
 {
  "gandi/api-key.age".publicKeys = [ poseidon ];

+  "lohr/shared-secret.age".publicKeys = [ poseidon ];
+
  "restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ];
  "restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ];
  "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -14,7 +14,6 @@ in {
    transmission-password = fileContents ./transmission.secret;
    nextcloud-admin-pass = ./nextcloud-admin-pass.secret;
    nextcloud-admin-user = fileContents ./nextcloud-admin-user.secret;
-    lohr-shared-secret = fileContents ./lohr-shared-secret.secret;

    paperless = import ./paperless { inherit lib; };
    restic-backup = import ./restic-backup { inherit lib; };
--- a/secrets/lohr-shared-secret.secret
+++ b/secrets/lohr-shared-secret.secret
--- a/services/lohr.nix
+++ b/services/lohr.nix
@ -44,9 +44,8 @@ in
          "ROCKET_PORT=${toString cfg.port}"
          "ROCKET_LOG_LEVEL=normal"
          "LOHR_HOME=${cfg.home}"
-          # NOTE: secret cannot contain a '%', it's interpreted by systemd
-          "'LOHR_SECRET=${secrets.lohr-shared-secret}'"
        ];
+        EnvironmentFile = config.age.secrets."lohr/shared-secret".path;
        ExecStart = "${lohrPkg}/bin/lohr";
        StateDirectory = "lohr";
        WorkingDirectory = "/var/lib/lohr";