feat: set up agenix secrets management

services/etebase.nix

@@ -5,7 +5,7 @@ in {
   services.etebase-server.enable = true;
   services.etebase-server.openFirewall = true;
   services.etebase-server.settings = {
-    global = { secret_file = "/etc/nixos/secrets/etebase-server"; };
+    global = { secret_file = config.age.secrets.etebase-server.path; };
     allowed_hosts = { allowed_host1 = etebaseHost; };
   };
 

services/mail.nix

@@ -14,7 +14,7 @@
       host = "smtp.web.de";
       port = 587;
       user = "felschr@web.de";
-      passwordeval = "cat /etc/nixos/secrets/smtp";
+      passwordeval = "cat ${config.age.secrets.smtp.path}";
       # from = "%U@server.felschr.com";
       from = user;
     };

services/miniflux.nix

@@ -4,7 +4,7 @@ let port = 8002;
 in {
   services.miniflux = {
     enable = true;
-    adminCredentialsFile = "/etc/nixos/secrets/miniflux";
+    adminCredentialsFile = config.age.secrets.miniflux.path;
     config = { LISTEN_ADDR = "localhost:${toString port}"; };
   };
 

services/mosquitto.nix

@@ -31,15 +31,15 @@ in {
               "readwrite tasmota/#"
               "readwrite owntracks/#"
             ];
-            hashedPasswordFile = "/etc/nixos/secrets/mqtt/hass";
+            hashedPasswordFile = config.age.secrets.mqtt-hass.path;
           };
           "tasmota" = {
             acl = [ "readwrite tasmota/#" "readwrite homeassistant/#" ];
-            hashedPasswordFile = "/etc/nixos/secrets/mqtt/tasmota";
+            hashedPasswordFile = config.age.secrets.mqtt-tasmota.path;
           };
           "owntracks" = {
             acl = [ "readwrite owntracks/#" ];
-            hashedPasswordFile = "/etc/nixos/secrets/mqtt/owntracks";
+            hashedPasswordFile = config.age.secrets.mqtt-owntracks.path;
           };
         };
       }
@@ -49,11 +49,11 @@ in {
         users = {
           "felix" = {
             acl = [ "read owntracks/#" "readwrite owntracks/felix/#" ];
-            hashedPasswordFile = "/etc/nixos/secrets/mqtt/felix";
+            hashedPasswordFile = config.age.secrets.mqtt-felix.path;
           };
           "birgit" = {
             acl = [ "read owntracks/#" "readwrite owntracks/birgit/#" ];
-            hashedPasswordFile = "/etc/nixos/secrets/mqtt/birgit";
+            hashedPasswordFile = config.age.secrets.mqtt-birgit.path;
           };
         };
       }

services/nextcloud.nix

@@ -10,7 +10,7 @@ in {
     maxUploadSize = "10G";
     config = {
       adminuser = "admin";
-      adminpassFile = "/etc/nixos/secrets/nextcloud/admin";
+      adminpassFile = config.age.secrets.nextcloud-admin.path;
       dbtype = "pgsql";
       dbhost = "/run/postgresql";
     };

services/owntracks.nix

@@ -25,7 +25,7 @@ in {
       ];
       extraOptions = [
         # TODO systemd doesn't substitute variables because it doesn't run in a shell
-        # "-e OTR_PASS=\"$(cat /etc/nixos/secrets/mqtt/owntracks-plain)\""
+        # "-e OTR_PASS=\"$(cat ${config.age.secrets.mqtt-owntracks-plain.path})\""
         "--network=host"
       ];
     };
@@ -49,7 +49,7 @@ in {
         enableACME = true;
         forceSSL = true;
         locations."/".proxyPass = "http://localhost:8085";
-        basicAuthFile = "/etc/nixos/secrets/owntracks/htpasswd";
+        basicAuthFile = config.age.secrets.owntracks-htpasswd.path;
       };
     };
   };

services/paperless.nix

@@ -2,24 +2,25 @@
 
 let port = 28981;
 in {
-  services.paperless-ng = {
-    enable = true;
-    inherit port;
-    passwordFile = "/etc/nixos/secrets/paperless";
-    extraConfig = {
-      PAPERLESS_ADMIN_USER = "felschr";
-      PAPERLESS_OCR_LANGUAGE = "deu+eng";
-    };
-  };
+  /* services.paperless-ng = {
+     enable = true;
+     inherit port;
+     passwordFile = config.age.secrets.paperless.path;
+     extraConfig = {
+     PAPERLESS_ADMIN_USER = "felschr";
+     PAPERLESS_OCR_LANGUAGE = "deu+eng";
+     };
+     };
 
-  services.nginx = {
-    virtualHosts."paperless.felschr.com" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://localhost:${toString port}";
-        proxyWebsockets = true;
-      };
-    };
-  };
+     services.nginx = {
+     virtualHosts."paperless.felschr.com" = {
+     enableACME = true;
+     forceSSL = true;
+     locations."/" = {
+     proxyPass = "http://localhost:${toString port}";
+     proxyWebsockets = true;
+     };
+     };
+     };
+  */
 }

services/restic/common.nix

@@ -22,8 +22,8 @@ in {
     {
       initialize = true;
       repository = "b2:felschr-backups:/${name}";
-      environmentFile = "/etc/nixos/secrets/restic/b2";
-      passwordFile = "/etc/nixos/secrets/restic/password";
+      environmentFile = config.age.secrets.restic-b2.path;
+      passwordFile = config.age.secrets.restic-password.path;
       timerConfig.OnCalendar = "daily";
       paths = if ripgrep then null else paths;
       dynamicFilesFrom = if ripgrep then

services/samba/home-pc.nix

@@ -13,7 +13,7 @@
       "x-systemd.mount-timeout=5s"
 
       "uid=1000"
-      "credentials=/etc/nixos/secrets/samba"
+      "credentials=${config.age.secrets.samba.path}"
     ];
   };
 }