From dad068ed6b2d6ec20e281dab3bfa92ad33e38008 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Fri, 11 Mar 2022 17:26:54 +0100
Subject: [PATCH] secrets: move lohr to agenix

---
 hosts/poseidon/secrets.nix             |   2 ++
 modules/secrets/lohr/shared-secret.age |   8 ++++++++
 modules/secrets/secrets.nix            |   2 ++
 secrets/default.nix                    |   1 -
 secrets/lohr-shared-secret.secret      | Bin 86 -> 0 bytes
 services/lohr.nix                      |   3 +--
 6 files changed, 13 insertions(+), 3 deletions(-)
 create mode 100644 modules/secrets/lohr/shared-secret.age
 delete mode 100644 secrets/lohr-shared-secret.secret

diff --git a/hosts/poseidon/secrets.nix b/hosts/poseidon/secrets.nix
index f0722b6..59e6393 100644
--- a/hosts/poseidon/secrets.nix
+++ b/hosts/poseidon/secrets.nix
@@ -11,6 +11,8 @@
         lib.mapAttrs toSecret {
           "gandi/api-key" = {};
 
+          "lohr/shared-secret" = {};
+
           "users/alarsyo-hashed-password" = {};
           "users/root-hashed-password" = {};
         };
diff --git a/modules/secrets/lohr/shared-secret.age b/modules/secrets/lohr/shared-secret.age
new file mode 100644
index 0000000..e3fa903
--- /dev/null
+++ b/modules/secrets/lohr/shared-secret.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 z6Eu8Q TbYGLV7JbzW40Eo9aNDfirmKXntiJnT60mbbzRLQJX4
+KHbJtr2hsfe7lsZ2VRTo7mWAgi33f8OJiuBDNfnCijE
+-> U}J&0*-grease 0~7egWZ( bN0gqO I[r[CN15
+xL86runL
+--- WrvrFFp0ZtCc0dXhfzaHOiFckW5u6qpm7SLEwgi8cyg
+�q�Q��I������[�E>�0���� �������KE�
+���U��A'[Kpa��y8f��Ɋ�Z��`����q�7q�"��z�C	�I{I!�\�%�E�q¦y��Ҕ3
\ No newline at end of file
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index cecc74e..81720b3 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -13,6 +13,8 @@ in
 {
   "gandi/api-key.age".publicKeys = [ poseidon ];
 
+  "lohr/shared-secret.age".publicKeys = [ poseidon ];
+
   "restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ];
   "restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ];
   "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
diff --git a/secrets/default.nix b/secrets/default.nix
index 278d2a1..d97b4aa 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -14,7 +14,6 @@ in {
     transmission-password = fileContents ./transmission.secret;
     nextcloud-admin-pass = ./nextcloud-admin-pass.secret;
     nextcloud-admin-user = fileContents ./nextcloud-admin-user.secret;
-    lohr-shared-secret = fileContents ./lohr-shared-secret.secret;
 
     paperless = import ./paperless { inherit lib; };
     restic-backup = import ./restic-backup { inherit lib; };
diff --git a/secrets/lohr-shared-secret.secret b/secrets/lohr-shared-secret.secret
deleted file mode 100644
index a05809ee622fb56974b03f6a036a76c48bab6b27..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 86
zcmV-c0IB}~M@dveQdv+`0F_y=!R|M8i;*y9Fn~;9<T`NYa;077h1sS5XIK=g;3k1b
sm_8;jJ`!-Z8r7;0WmG2O(qEFZ1_{+Sjy-j<FzsV6P`Fz!sd!3{byC?S+yDRo

diff --git a/services/lohr.nix b/services/lohr.nix
index d7442e8..db33155 100644
--- a/services/lohr.nix
+++ b/services/lohr.nix
@@ -44,9 +44,8 @@ in
           "ROCKET_PORT=${toString cfg.port}"
           "ROCKET_LOG_LEVEL=normal"
           "LOHR_HOME=${cfg.home}"
-          # NOTE: secret cannot contain a '%', it's interpreted by systemd
-          "'LOHR_SECRET=${secrets.lohr-shared-secret}'"
         ];
+        EnvironmentFile = config.age.secrets."lohr/shared-secret".path;
         ExecStart = "${lohrPkg}/bin/lohr";
         StateDirectory = "lohr";
         WorkingDirectory = "/var/lib/lohr";