remove agenix and migrate secrets to clan vars

squash this
2025-07-18 00:10:29 +02:00 · 2025-07-18 00:10:29 +02:00 · 8b3841a87f
commit 8b3841a87f
parent b91a52da5e
18 changed files with 96 additions and 165 deletions
--- a/machines/crocus/radicle.nix
+++ b/machines/crocus/radicle.nix
@ -2,7 +2,7 @@
 {
  services.radicle = {
    enable = true;
-    privateKeyFile = config.age.secrets.radicle-private-key.path;
+    privateKeyFile = config.clan.core.vars.generators.radicle.files.radicle-private-key.path;
    publicKey = keys.services.radicle;
    node = {
      openFirewall = true;
@ -17,5 +17,11 @@
    };
  };

-  age.secrets.radicle-private-key.file = ../../secrets/radicle-private-key.age;
+  clan.core.vars.generators.radicle = {
+    prompts.radicle-private-key = {
+      description = "radicle node private key";
+      type = "hidden";
+      persist = true;
+    };
+  };
 }
--- a/machines/genepi/acme.nix
+++ b/machines/genepi/acme.nix
@ -1,21 +1,25 @@
 { config, ... }:
 {
+  imports = [
+    ../../modules/gandi.nix
+  ];
+
  security.acme = {
    acceptTerms = true;
    defaults.email = "admin@rpqt.fr";
  };

-  age.secrets.gandi.file = ../../secrets/gandi.age;
-
  security.acme = {
    certs."home.rpqt.fr" = {
      group = config.services.nginx.group;
-
      domain = "home.rpqt.fr";
      extraDomainNames = [ "*.home.rpqt.fr" ];
      dnsProvider = "gandiv5";
      dnsPropagationCheck = true;
-      environmentFile = config.age.secrets.gandi.path;
+      environmentFile = config.clan.core.vars.generators.gandi.files.gandi-env.path;
+      email = "admin@rpqt.fr";
    };
  };
+
+  clan.core.vars.generators.gandi.files.gandi-env.owner = "acme";
 }
--- a/machines/genepi/configuration.nix
+++ b/machines/genepi/configuration.nix
@ -4,7 +4,6 @@
 }:
 {
  imports = [
-    self.inputs.agenix.nixosModules.default
    ./acme.nix
    ./boot.nix
    ./builder.nix
--- a/machines/genepi/freshrss.nix
+++ b/machines/genepi/freshrss.nix
@ -4,23 +4,26 @@ let
  subdomain = "rss.${domain}";
 in
 {
-  age.secrets.freshrss = {
-    file = ../../secrets/freshrss.age;
-    mode = "700";
-    owner = config.services.freshrss.user;
-  };
-
  services.freshrss = {
    enable = true;
    baseUrl = "https://${subdomain}";
    virtualHost = "${subdomain}";

    defaultUser = "rpqt";
-    passwordFile = config.age.secrets.freshrss.path;
+    passwordFile = config.clan.core.vars.generators.freshrss.files.freshrss-password.path;
  };

  services.nginx.virtualHosts.${config.services.freshrss.virtualHost} = {
    forceSSL = true;
    useACMEHost = "${domain}";
  };
+
+  clan.core.vars.generators.freshrss = {
+    prompts.freshrss-password = {
+      description = "freshrss default user password";
+      type = "hidden";
+      persist = true;
+    };
+    files.freshrss-password.owner = config.services.freshrss.user;
+  };
 }
--- a/machines/haze/configuration.nix
+++ b/machines/haze/configuration.nix
@ -4,8 +4,6 @@
 }:
 {
  imports = [
-    # inputs.disko.nixosModules.disko
-    self.inputs.agenix.nixosModules.default
    ./boot.nix
    ./chat.nix
    ./firefox.nix
--- a/machines/haze/secrets/secrets.nix
+++ b/machines/haze/secrets/secrets.nix
@ -1,13 +0,0 @@
-let
-  keys = import ../../../parts/keys.nix;
-in
-{
-  "syncthing-key.pem.age".publicKeys = [
-    keys.hosts.haze
-    keys.rpqt.haze
-  ];
-  "syncthing-cert.pem.age".publicKeys = [
-    keys.hosts.haze
-    keys.rpqt.haze
-  ];
-}
--- a/machines/haze/secrets/syncthing-cert.pem.age
+++ b/machines/haze/secrets/syncthing-cert.pem.age
--- a/machines/haze/secrets/syncthing-key.pem.age
+++ b/machines/haze/secrets/syncthing-key.pem.age
@ -1,8 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 P3fsag cm2nekzBIMCAb/yXzY4L6jIH/Sa+rSMznT88WJNkP30
-DMnRf0An69vywpHLD3RGHwE0dkaa6JIEahhQo14EEDc
--- f/kI+HBhWTQlXoWvCJaLJM70EsOkH4G8/5g9Eeu8uNc
-
-àT!Û÷<12>\Î’ù6˜
-·TÀƒrÏµKr»9ÕÅw¹ÌžÀ8–æ¸ÇEƒ<45>¿´,ÜR.¢˜³’ÉiÒ ¹ßüý_'2Þ;iÒÅ„—8d¤ÏóÿÁ&DÝ«q¯²îxd
-µ3Ée„xnâg~’/)Ý‡aƒÄWÔèžG~ºÒÈBNV·ˆi¨a<05>{ËæÝuÕÛ•ÜR=ûMòO)$HS„Ýf¥f<ç›cóü?àï~*€Täà<>)WtÊ<74>ñÅÀ&‚Ü8i˜óºz½è:5Ž¹[sc"ýÀì<>& UýËÓ9ÂÓ'í§_»´{xkE½ïØ¼YÁ@åÑçƒÆÚf×Uä+†—B±u¨=ÿÌY4òe3âUÕÆQLSl5 U™qÚšþ!¨h<C2A8>×W¼ã@}<7D>OW¨ŠÃ
--- a/machines/haze/syncthing.nix
+++ b/machines/haze/syncthing.nix
@ -7,24 +7,21 @@ let
  home = config.users.users.${user}.home;
 in
 {
-  # age.secrets.syncthing-key.file = ./secrets/syncthing-key.pem.age;
-  # age.secrets.syncthing-cert.file = ./secrets/syncthing-cert.pem.age;
-
  services.syncthing = {
-    enable = false;
+    enable = true;
    user = user;
    group = "users";
    dataDir = home;
    configDir = "${home}/.config/syncthing";
-    key = config.age.secrets.syncthing-key.path;
-    cert = config.age.secrets.syncthing-cert.path;
+    key = config.clan.core.vars.generators.syncthing.files."key".path;
+    cert = config.clan.core.vars.generators.syncthing.files."cert".path;
    openDefaultPorts = true;
    overrideDevices = true;
    overrideFolders = true;
    settings = {
      devices = {
        "genepi" = {
-          id = "EA7DC7O-IHB47EQ-AWT2QBJ-AWPDF5S-W4EM66A-KQPCTHI-UX53WKM-QTSAHQ4";
+          id = "TNP3M2Z-2AJ3CJE-4LLYHME-3KWCLN4-XQWBIDJ-PTDRANE-RRBYQWQ-KXJFTQU";
        };
        "pixel-7a" = {
          id = "IZE7B4Z-LKTJY6Q-77NN4JG-ADYRC77-TYPZTXE-Q35BWV2-AEO7Q3R-ZE63IAU";
@ -60,4 +57,20 @@ in
      };
    };
  };
+
+  clan.core.vars.generators.syncthing = {
+    prompts.key = {
+      description = "syncthing private key";
+      type = "hidden";
+      persist = true;
+    };
+    files.key.owner = config.services.syncthing.user;
+
+    prompts.cert = {
+      description = "syncthing cert";
+      type = "hidden";
+      persist = true;
+    };
+    files.cert.owner = config.services.syncthing.user;
+  };
 }