From f4e2d1739da1fd0d51ed58bb9b372e93f580ffed Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Fri, 11 Mar 2022 17:06:23 +0100
Subject: [PATCH 1/2] secrets: remove unused secrets

---
 secrets/default.nix                           |   2 --
 secrets/shadow-hashed-password-alarsyo.secret | Bin 128 -> 0 bytes
 secrets/shadow-hashed-password-root.secret    | Bin 128 -> 0 bytes
 3 files changed, 2 deletions(-)
 delete mode 100644 secrets/shadow-hashed-password-alarsyo.secret
 delete mode 100644 secrets/shadow-hashed-password-root.secret

diff --git a/secrets/default.nix b/secrets/default.nix
index d63ad9f..08084b0 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -10,8 +10,6 @@ in {
   };
 
   config.my.secrets = {
-    shadow-hashed-password-alarsyo = fileContents ./shadow-hashed-password-alarsyo.secret;
-    shadow-hashed-password-root = fileContents ./shadow-hashed-password-root.secret;
     miniflux-admin-credentials = fileContents ./miniflux-admin-credentials.secret;
     transmission-password = fileContents ./transmission.secret;
     nextcloud-admin-pass = ./nextcloud-admin-pass.secret;
diff --git a/secrets/shadow-hashed-password-alarsyo.secret b/secrets/shadow-hashed-password-alarsyo.secret
deleted file mode 100644
index d4afac81e8b4bf5802fc629df47af25dda38d346..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 128
zcmZQ@_Y83kiVO&0Fp#^j^rvjCMre9r8N2)BSG_g6ILqXJF4rw_pS^HN#j(C`MF;n@
zHtuK1F^^0PT)l4p`@1|5$EBP31%C#9K6K4u_T%=#ha#ps_H91XwP4$fpOM-8-x^!*
l9S&?d*1q<HiH@a1sJpl6T@U8NtY!z|<auH_CNtTI0syyxI&A;|

diff --git a/secrets/shadow-hashed-password-root.secret b/secrets/shadow-hashed-password-root.secret
deleted file mode 100644
index d4afac81e8b4bf5802fc629df47af25dda38d346..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 128
zcmZQ@_Y83kiVO&0Fp#^j^rvjCMre9r8N2)BSG_g6ILqXJF4rw_pS^HN#j(C`MF;n@
zHtuK1F^^0PT)l4p`@1|5$EBP31%C#9K6K4u_T%=#ha#ps_H91XwP4$fpOM-8-x^!*
l9S&?d*1q<HiH@a1sJpl6T@U8NtY!z|<auH_CNtTI0syyxI&A;|


From 238294b7bf5875cb8f8afacb2e213e506fcc7964 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Fri, 11 Mar 2022 17:10:44 +0100
Subject: [PATCH 2/2] secrets: move gandi api key to agenix

---
 hosts/poseidon/secrets.nix        |   2 ++
 modules/secrets/gandi/api-key.age |   8 ++++++++
 modules/secrets/secrets.nix       |   2 ++
 secrets/default.nix               |   1 -
 secrets/gandi-api-key.secret      | Bin 63 -> 0 bytes
 services/nginx.nix                |   2 +-
 6 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 modules/secrets/gandi/api-key.age
 delete mode 100644 secrets/gandi-api-key.secret

diff --git a/hosts/poseidon/secrets.nix b/hosts/poseidon/secrets.nix
index 2b64a0d..f0722b6 100644
--- a/hosts/poseidon/secrets.nix
+++ b/hosts/poseidon/secrets.nix
@@ -9,6 +9,8 @@
         } // attrs;
       in
         lib.mapAttrs toSecret {
+          "gandi/api-key" = {};
+
           "users/alarsyo-hashed-password" = {};
           "users/root-hashed-password" = {};
         };
diff --git a/modules/secrets/gandi/api-key.age b/modules/secrets/gandi/api-key.age
new file mode 100644
index 0000000..cf9f9c9
--- /dev/null
+++ b/modules/secrets/gandi/api-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 z6Eu8Q Z6nxu/Aj6YiouSwaHKO9o/VjDwkFeg1aUpxWDH0zYUc
+nN/e7E4mRe0u6r845FlT9QPYTAAoG7YQZY+igYNNd7Y
+-> LZ-grease 7/44AQ]n H&}_^ hIg#2Ic :cyUJma
+cyKzugByeYVVqVRXfi/a7RkreaM9vVNw8z1Jn+MaLZs1paE44QEe2Y2bsXA9tmai
+GSfOFlOBv82/Jhlc7xUK5w6RxgIBdmxtpEfRaUw
+--- jnsdwFTZU4wzsxo0piNFBchQtCuFQohGALt42YukeVA
+˜7wO˜ƒp8Òˆeu!¡CbìBRïî·­zI×Nìô•?C	éýW›õ[kG½ƒslãöÀZGÿØì™üÝ9nðL
\ No newline at end of file
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 5e3fec2..cecc74e 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -11,6 +11,8 @@ let
   all = users ++ machines;
 in
 {
+  "gandi/api-key.age".publicKeys = [ poseidon ];
+
   "restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ];
   "restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ];
   "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
diff --git a/secrets/default.nix b/secrets/default.nix
index 08084b0..c17761a 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -15,7 +15,6 @@ in {
     nextcloud-admin-pass = ./nextcloud-admin-pass.secret;
     nextcloud-admin-user = fileContents ./nextcloud-admin-user.secret;
     lohr-shared-secret = fileContents ./lohr-shared-secret.secret;
-    gandiKey = fileContents ./gandi-api-key.secret;
 
     borg-backup = import ./borg-backup { inherit lib; };
     paperless = import ./paperless { inherit lib; };
diff --git a/secrets/gandi-api-key.secret b/secrets/gandi-api-key.secret
deleted file mode 100644
index 06a9edabb961c3ea440cefc74e7bb645885d12ca..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 63
zcmZQ@_Y83kiVO&0`0%bY`PbLK$r@K`edV`rK9>JLODXsJja42q!m9S2%}&_r(>u%e
VHP0_IHs9TfOP?L!emQT$MF7vPAVB~C

diff --git a/services/nginx.nix b/services/nginx.nix
index 0fe607b..42dc015 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -54,7 +54,7 @@ in
           "${domain}" = {
             extraDomainNames = [ "*.${domain}" ];
             dnsProvider = "gandiv5";
-            credentialsFile = pkgs.writeText "gandi-creds.env" gandiKey;
+            credentialsFile = config.age.secrets."gandi/api-key".path;
             group = "nginx";
           };
         };