feat: set up agenix secrets management

2022-05-04 03:02:47 +02:00 · 2022-05-04 03:02:47 +02:00 · 5f329f550e
parent cc6226d335
commit 5f329f550e
32 changed files with 279 additions and 44 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,2 @@
 .env
 .pre-commit-config.yaml
-secrets
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,25 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1648942457,
+        "narHash": "sha256-i29Z1t3sVfCNfpp+KAfeExvpqHQSbLO1KWylTtfradU=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "0d5e59ed645e4c7b60174bc6f6aac6a203dc0b01",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "flake-utils": {
      "locked": {
        "lastModified": 1649676176,
@ -22,11 +42,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1651598446,
-        "narHash": "sha256-UykdAyAcf2zFW5Wbv3uXDhMg9Fd+zarrRQxfMnR2BAs=",
+        "lastModified": 1651616957,
+        "narHash": "sha256-L1Chwdxsa3VusVDgViNk7q4EIC/h8Ndw7YYKVDDRkyU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "ac722cddf44276d2b11d797b2ace273d0b674000",
+        "rev": "c13ffa3ed42a653c058d78771f4ff0ef8798e7fd",
        "type": "github"
      },
      "original": {
@ -86,11 +106,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1651598969,
-        "narHash": "sha256-TYGiklLzXEtObbEfXeI3/SZYnDNztMcxaV5BGU9Z0+c=",
+        "lastModified": 1651617509,
+        "narHash": "sha256-lEUvJ4sHYGi6AcwDCNEPnTP8+N0+eOg/KXL1QBtDMyk=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "04bdecaeaaabafd5343b41e4b57c7434ec571730",
+        "rev": "116deaecbe3ba60c6a645220ce7be96e4ff4f56f",
        "type": "github"
      },
      "original": {
@ -141,6 +161,7 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "flake-utils": "flake-utils",
        "home-manager": "home-manager",
        "nixos-hardware": "nixos-hardware",
--- a/flake.nix
+++ b/flake.nix
@ -14,6 +14,11 @@

  inputs.nur.url = "github:nix-community/NUR/master";

+  inputs.agenix = {
+    url = "github:ryantm/agenix";
+    inputs.nixpkgs.follows = "nixpkgs";
+  };
+
  inputs.pre-commit-hooks = {
    url = "github:cachix/pre-commit-hooks.nix";
    inputs.nixpkgs.follows = "nixpkgs";
@ -26,7 +31,7 @@
  };

  outputs = { self, nixpkgs, nixos-hardware, flake-utils, home-manager, nur
-    , pre-commit-hooks, nvim-kitty-navigator }@inputs:
+    , agenix, pre-commit-hooks, nvim-kitty-navigator, nixpkgs-glslls }@inputs:
    let
      overlays = {
        neovim = self: super:
@ -58,8 +63,8 @@
      };
      homeManagerModules = { git = import ./home/modules/git.nix; };
      systemDefaults = {
-        modules = [ nixosModules.flakeDefaults ];
-        overlays = [ nur.overlay overlays.neovim overlays.deconz glslls ];
+        modules = [ nixosModules.flakeDefaults agenix.nixosModule ];
+        overlays = with overlays; [ nur.overlay neovim deconz glslls ];
      };
      lib = rec {
        createSystem = hostName:
@ -100,6 +105,16 @@
            modules = [ homeManagerModules.git ];
            config = ./home/felschr.nix;
          })
+          ({ config, pkgs, ... }: {
+            age.secrets = {
+              restic-b2.file = ./secrets/restic/b2.age;
+              restic-password.file = ./secrets/restic/password.age;
+              samba.file = ./secrets/samba.age;
+              smtp.file = ./secrets/smtp.age;
+            };
+            environment.systemPackages = with pkgs;
+              [ agenix.defaultPackage.x86_64-linux ];
+          })
        ];
      };

@ -138,6 +153,29 @@
            modules = [ homeManagerModules.git ];
            config = ./home/felschr-rpi4.nix;
          })
+          ({ config, pkgs, ... }: {
+            age.secrets = {
+              hostKey.file = ./secrets/home-server/hostKey.age;
+              cfdyndns.file = ./secrets/cfdyndns.age;
+              restic-b2.file = ./secrets/restic/b2.age;
+              restic-password.file = ./secrets/restic/password.age;
+              # samba.file = ./secrets/samba.age;
+              smtp.file = ./secrets/smtp.age;
+              mqtt-felix.file = ./secrets/mqtt/felix.age;
+              mqtt-birgit.file = ./secrets/mqtt/birgit.age;
+              mqtt-hass.file = ./secrets/mqtt/hass.age;
+              mqtt-tasmota.file = ./secrets/mqtt/tasmota.age;
+              mqtt-owntracks.file = ./secrets/mqtt/owntracks.age;
+              mqtt-owntracks-plain.file = ./secrets/mqtt/owntracks-plain.age;
+              owntracks-htpasswd.file = ./secrets/owntracks/htpasswd.age;
+              etebase-server.file = ./secrets/etebase-server.age;
+              miniflux.file = ./secrets/miniflux.age;
+              paperless.file = ./secrets/paperless.age;
+              nextcloud-admin.file = ./secrets/nextcloud/admin.age;
+            };
+            environment.systemPackages = with pkgs;
+              [ agenix.defaultPackage.x86_64-linux ];
+          })
        ];
      };

--- a/home-pc.nix
+++ b/home-pc.nix
@ -34,6 +34,13 @@

  programs.zsh.enable = true;

+  services.openssh = {
+    enable = true;
+    kbdInteractiveAuthentication = false;
+    passwordAuthentication = false;
+    permitRootLogin = "no";
+  };
+
  networking.firewall.allowedTCPPorts = [
    58324 # transmission
  ];
--- a/rpi4.nix
+++ b/rpi4.nix
@ -63,7 +63,7 @@ in with builtins; {
    use = "web";
    zone = "felschr.com";
    username = "felschr@pm.me";
-    passwordFile = "/etc/nixos/secrets/cfdyndns-apikey";
+    passwordFile = config.age.secrets.cfdyndns.path;
    domains = [
      "home.felschr.com"
      "cloud.felschr.com"
--- a/secrets/cfdyndns.age
+++ b/secrets/cfdyndns.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA Emv7LuDzOeexxdx2VAcq4eHd1Ui0i8SC5TTuiGZOO30
+SnveZYGyGw1ScrHiGKeTCcF4+gVX8JSc3SctDAztJAE
+-> ssh-ed25519 lJaKnA J355LOx5+epedQBxWKzPkl5AE/dGhMvWDx1e602Pcmk
+qRJqL5xgUmP35K7BSa+J/eZKfIGWYbSKWdtnvkABPq8
+-> ssh-ed25519 lJaKnA /eU6VAS8l8D0P9gQoGnkiOLkS+RMRtvexHsGMYr0PS0
+SBbQ2dGElppICUmUxtMrCJuSoEqG19FK/+jSj/N0Prc
+-> ySZ!-grease t[TQ^2 7st Z=@p5*y
+HuR5RgLmPS3L10XdpXFMXIJ9EWYKfpp9c3NdZLXMTcEtpasU7bK9
+--- UGXt/VHxcQjXGCOTY44K5NnXCw2nhwgCISFy3q6eMbw
+¡’.}he|¿jœ0n=v6±@hŒöM¹¤ü–bëÎ±çŠMÜ)Ñ/Õ¥‚†Áÿµ·Bë©j,‹ÿ3çÂ¶aß%²«%‰
--- a/secrets/etebase-server.age
+++ b/secrets/etebase-server.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA PiJaReRK5NQZCDIflhIcHk1Oq6rgjj5ypd8FHgKd/kE
+xMFuaJRHVLNQ2tuKIASzTwT1thx7eRu70Bu0QcFy6MY
+-> ssh-ed25519 lJaKnA FIpBmZMfYSYG6lYgkeao7WCNA7rqhLW0611ZvEfY4Tw
+Eg4J4FhHi3IGobunEp6HI/TYL8YM3cK0MVtjjtzXzWk
+-> ssh-ed25519 lJaKnA vFQD+W6AUUnCQQGaESC0CkzNAU3bpX6Fhe/SwUmXbX8
+DK7gzSaASAsF5Gnjnsre1sp8roRAcO/ir375H/KpISk
+-> &QP@0b-grease k7$s7 8\h&#a ei| QHd^p;ZF
+WSmIa6aLNAlhZrMHAFCwHzPb3PDVeOoGOoZLmGFYbAQVtvb6f2bViQ
+--- 0xuMti4919O+zoKW2QmriKd7/596BI7GOqIcBhATDu0
+ô× _óÊiÔòÃI-%æï¼\\qg`Vm$/ÿ‡±D5öIî²XšÞÒÚw\MÛø<WÞž*fBUK$@jt;êõš–Ú2ƒÊ2@
+·é
--- a/secrets/home-server/hostKey.age
+++ b/secrets/home-server/hostKey.age
--- a/secrets/miniflux.age
+++ b/secrets/miniflux.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA 4iybMfkurGBEDspucYYcgRDxCUsCC4QBTlpFs2DgK0Y
+6ybOeDNPt1li/676g6YYi48ayGhwdADpVREUn18PF8M
+-> ssh-ed25519 lJaKnA BJZQVEzgQRxlllIRKWuNS2yWbxSqg4cRIYhCX17W0F4
+qwwHkX6S9w2ThoGFceDTQxF2cI1rCAzW1O30Gghhd2E
+-> ssh-ed25519 lJaKnA GM8nbZz4k5ervWWtxms+3nslzUrD6B7T22OhoXlko0s
+obBIKd7KQiRNdKqHIK7GF5nuL6d1gl9LuylfpojBRfc
+-> G?-grease DH=|Af jdM6?L2 C3]pza"
+Bttx2gTtRctBmFAzZgXciFHsYG+gM+YdnuD18Jf7a5lhAMDIEJsEcruaqOoHVB8z
+jKgp6mtVweMNmGAH/lUP+9ARDShCThvJPduubVZgCfDRiOK3hxcVRtO+DxjJ
+--- l4j5QC9J2Zof2U/F/HXxj509cvZfSV4CKLcB6xVdgW4
+F¯Îââ?ò®†«Q;"°MUox3º9ýAÑ	'6é‚’Ë¤`#¤2-®O â_Ã5÷4ìÈU‹ŒJA!ì‰×'Q¹ºl¶Ñöí¢=_Ž&jù›ÛJºîïHî«A¶.c/³<>7Eo¡*¡'oÿLVT
--- a/secrets/mqtt/birgit.age
+++ b/secrets/mqtt/birgit.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA faxHH3lztiUsqL3pIfsCLYyEvJQRKTzdHZ9ZQBY0ZiE
+sqF7QhvixdTe+W6ejULAt0g6iTO6i039bQAXQTnKBQg
+-> ssh-ed25519 lJaKnA 3udnbkWVw15uUKUrN88ClL41r5tiFTkZ/EskHq1kzHQ
+4JX/zV9kNVjJpcYqLMpX6KlmRiiuArZSQ+W7aw1QvHg
+-> ssh-ed25519 lJaKnA amRDwgekxxMTM+xiyYcpw0NrvlgIGFugsz3RkPObZ3c
+oC2rhhYfUg+FeU8s2WSyQwdXjH+0OTv1vYW8nu5HYx0
+-> !w-grease TE w-n 7K-t)0h+ ?8
+E5SI33giJqUQSZsWDP6soRdg+tQQI0DX9J7xNXtFkzPz8qVNuw5pgQ4vMW/Bzqi1
+
+--- ars8pQpDQPk9xsIBm58zuB5gasfkLBj9jaUVnJRUS5g
+ Z<C2A0><DŔő±WąˇUl9<>˘ WsĄ«Q`}W`´ľ«e; ŐĐm™
kť×UęčđR%*Ň„{1L.î2Ţ¶Ý(¦bŐŤ”+z\Ú`•Ô·č
+”ŇŃÚŤA8ˇTŘ0Ä) ;ÖĘ9?60a_S7(ř$őŢ÷ĺ‡„	¶X”Ü™=HE)
--- a/secrets/mqtt/felix.age
+++ b/secrets/mqtt/felix.age
--- a/secrets/mqtt/hass.age
+++ b/secrets/mqtt/hass.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA JOMz5YdPIoGZevxlmInkiPA4ihiBADP3oI2jYd2rqwI
+lve12oZbEgjbUg4I4HLY0s+BxFACyMGYn+OPESenwxQ
+-> ssh-ed25519 lJaKnA gI1N9OByqOZyU1dDDsFL2eSrsYajUnTNYrHmjSQFbgw
+ZvkkMjgp/ZQWJbtK9VvBVomXfAa3UP2pedB21Wzd4OU
+-> ssh-ed25519 lJaKnA NG74HNqwQf+f3BgcIFkobLtJBR84iU4vWgaQ35Hz/QI
+n/cyj5lkcnVP8QIYrjdgrS1smM/HtoNInX5S+CylFCI
+-> {+%}-grease ts3
+xV6pJqcF5eys768Ebfnc
+--- 4c28/eIybtMWAKq/QKIk3iLhxW8TKw9ppXV6AUXs5uw
+å’ŒÕ»Øa™MN% §Äþ@ŽGíýœÓ¾w¶ªÄi¤—¹&@žT|æå"<22>Ô1ƒø<C692><C3B8>7¶yåÔI¶BkUÉáÜ	rÌLØƒõ¿»áÀˆ?œhUð?ç¹_Ù%“’ÆR<C386>	dBL‹‡wrI u‹-<2D>âSžõb6K@>c(éÄAfú]	®DMÏ
--- a/secrets/mqtt/owntracks-plain.age
+++ b/secrets/mqtt/owntracks-plain.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA 9ZDFWbY8ASraHwjd0JuvAZfTSWFgF2qsp6nG6rJPgz0
+pG8rnhj9VKn5daVED/xumCSvvgMAhuR/9asfZqAUsjk
+-> ssh-ed25519 lJaKnA evqpHayE6msY4w3SoVar9gbH8u8eLBZPe6p7Bb+Yhjw
+m1v4Nbhnhb5g9aNEv7v/73PXGwPzX8479Hoot4Xw1S8
+-> ssh-ed25519 lJaKnA zYmrvOXvmG5pMmEj+rAG7Fup2xa+a+FAkQRBfdqsdmY
+Z8LrR55uu6RQOfio2e5l6AkndlN8gJ3PK00vlbz1L6w
+-> _-grease k/_|
+RnSdSY+/8WfoCjSSjyXt95UbSy2H5Xo+ZddNgo3McJhYZ4e+4KfVWKShh8A
+--- uPq0CoCBxWjMHmMGsOJVuYokN/FUdGbf6JhMmlkHk/o
+"%ﾏovｲょ紅4@ﾌ<><EFBE8C>lｧ(0閘H$ﾚsKﾛｻﾋ募ｹ<1D>絣f$ｴｾ4所ｽ%ﾆ!z`,<2C>ｨ!Gﾇ
--- a/secrets/mqtt/owntracks.age
+++ b/secrets/mqtt/owntracks.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA 9APgopeRiTUoUlAv9y7JJc/qVz4Joh5GGV2gDx8len0
+68e/QQpbpJfodwDP3wVAlK6OizsUqnYO60JM+z132K4
+-> ssh-ed25519 lJaKnA XofGre3Pp6+alLDM4Uirpd3EzfK07etl2aDG2CE/kE0
+l17gDsyyvlFaCe7xe/2xGA3HbUpHcAK9vsQSgJEeRgw
+-> ssh-ed25519 lJaKnA As7CB1OUAprJdLh59D0GDZxaX4wfJTepuHTafuk/W2E
+7TmnXgc0pZVwC+ZDtkK0Q80cKI73ioihiHdkNrd7Mt8
+-> 6-grease 3$\~e`: iv$y.x: qmtg87 Zu
+QN1eUCtxbXQl8hUfoDNH4w2nZJGcTr6u56DgeoR3yv/63jcmatAg2Tjj1j+oC4db
+Eg
+--- dCHdmNkda0Qcbz0dFoOrLwxf1j+JOO/t2zBWI8jr3Yw
+^©‚O‹€ê¬v„gÞA_´t–ÀÁ`GMôRR‡Á¦	|Qþ.•P<™±+Vô¯Ž±Oz<4F>ju‡å÷©á{©Q.zCb©ÖCkìòÂ´Zoa+áz"»Mv^õŒ„ÇS<C387>†ìY£ä9¸`Œ'ýŒkü•›ªãGêM‰øDíêyh
+ùph‰¢
--- a/secrets/mqtt/tasmota.age
+++ b/secrets/mqtt/tasmota.age
@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA RwiNDZQbaam7wumvD5lMya9nJAPjBeadTZNgwRP+P3Y
+s+RQNFXBNFcmODZkUkrOJ6/hWHyNT/9I/xMQyQZTVlQ
+-> ssh-ed25519 lJaKnA ohDv40O7aE3OS2LKoUHpqxJS/ieIJT8j09+7XSKsyXs
+qjIge/Vr+KYgsl9mHMyU4i/u+8WeacvqtOWn65t8mjU
+-> ssh-ed25519 lJaKnA +V5DEilKUoZXCiUT1PXCbS1BLle2YnnOJNmidgkIsxY
+0lBl9QVJEJrk/aeV54ekFg8KUEP7MaIM+QPHfZL4rgg
+-> =1`m\-grease +wT5Dx TI)H
+tIFfbrDUu9t78n1Wt+YlgIkHr6NMDgNXgFj8SF+psNkGXP1dLXK8qK0bNRJy+irq
+vigAG5CtTx3YPWIg6ZuiGhpsZdWFBqNPCbimSeDxbuxXIF628yJqbU66q/vFjqdN
+pEI
+--- PX2eCsYZBakfzt72x6uZ8X0nRvcCN+XDsGgXgz9biyo
+õïeDÀu5‚´ypÉ*ºp0ÿŒ<Àá–ý|\§PðØùÓd#‘^å™¥»S±‰Ô¼lÈèWOòÀ|Wª76O-Œ¸Ä”—è¿ŸÆý±Ô]_Ç:øÔÞ›ã‰œžë"€ß¹$âµñvQˆ]ŠsºáÚªÝœ÷kxØÁ
+pfJJ×Ì¯»Ë;WN
--- a/secrets/nextcloud/admin.age
+++ b/secrets/nextcloud/admin.age
--- a/secrets/owntracks/htpasswd.age
+++ b/secrets/owntracks/htpasswd.age
--- a/secrets/paperless.age
+++ b/secrets/paperless.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA PnM/rcfmbOTuCsk1FxEOPZZOw+HoBdKJsOWPX5StCzo
+eHOMjzow7uJv+AFgg7LpHkIerObFRiTmGDnlDPYuug8
+-> ssh-ed25519 lJaKnA SBliQvSaM3MsANtYIeA5lLmGdYCddQvHtCPnbE7AwxU
+DJ6Da2Oo3Vw0ZjqLzzHYjC1Fx9jf3sZFSKr0ENswENs
+-> ssh-ed25519 lJaKnA 114+dYd75UOk38aM47rYxReZbqzRr85db0T4cD4Kll8
+bFso7p5rMbp2D+Hve79NJVuBLQNLSyIxuJqhlVKVOG4
+-> 'w,HX)U-grease
+pc+FROn+syWXfA
+--- 4JJ+abXUqrakmR6ykdbOGRuAxwlqWodcsCd/ljZjkak
+örol)lÁb¶|Lƒ°Ë²±£X‚òc0…3²Æ»ç´–m†É%<25>53
!Ò©8JFA™¥PGõ[ˆÜÞ<C39C>zøzÂƒ¾fêˆ:K
--- a/secrets/restic/b2.age
+++ b/secrets/restic/b2.age
--- a/secrets/restic/password.age
+++ b/secrets/restic/password.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA fbM8lDDIcSZuJuz7/wXRJMcTRTGGOlDeH0RxPq0OzBI
+FlmhO4F+26Y7qVKjUheeDLy6mq6hvHotBtXx3Kb+8Vw
+-> ssh-ed25519 lJaKnA o9ze7N8CYlBzsq1KjRmbewuN6CPkoZD/9B1qHK7x82U
+GlOVGR73HtZimuk5oZAQLxVN5LISX1eWpYTWBld9M5Y
+-> ssh-ed25519 lJaKnA YPaLYoPKH+TU8Y710gxn2tqenlRrEVT7/75mW7URsHU
+VySQYMgmHDGnnWsMk9m+0xkOWvpeIAZ3ud+YzFPsb4c
+-> fa[~+&A-grease (NimzZu
+Dz/ZPmLAUm8/2uyzdjOpQDRqzknifW0xxvJdTXMFZslYbNDO/2kw56yXqI5QHVXr
+pvQ55xiQ+bhyqC7f7zb3IIVPL9X1rBXCiwzEGyjgAHgDPWxq4n8LsFmK0OQ
+--- olMB+qz19Awqlt03jGB1jirQ4GB2FzDFARKTiaXTlME
+ˆñ›æD™ ë· Í ÜÛë¨ú ‰ {´ÏD=Ð9
+ôEÚd<EFBFBD>²s™µmÏÎ×Ê’ fb#0®ñŒþ:_‚
--- a/secrets/samba.age
+++ b/secrets/samba.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,36 @@
+let
+  # age-specific key in ~/.ssh/id_ed25519: `ssh-keygen -t ed25519`
+  felschr =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbQpMo1JOGk59Rzl6pVoOcMHOoqezph+aIlEXZP4rBu";
+  users = [ felschr ];
+
+  # `ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key`
+  home-pc =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFTQvIcSdhEKl/Kq+pcS/cPCyyZ1ygj+djfuaXzaRMx";
+  home-server =
+    # TODO which key is correct?
+    # ssh-keyscan:
+    # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw/BoHY5LGtQblqwZA65/awp30lB/OQABd9dD7wc18n";
+    # /etc/ssh/ssh_host_ed25519_key.pub:
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFTQvIcSdhEKl/Kq+pcS/cPCyyZ1ygj+djfuaXzaRMx";
+  systems = [ home-pc home-server ];
+in {
+  "restic/b2.age".publicKeys = [ felschr home-pc home-server ];
+  "restic/password.age".publicKeys = [ felschr home-pc home-server ];
+  "smtp.age".publicKeys = [ felschr home-pc home-server ];
+  "samba.age".publicKeys = [ felschr home-pc home-server ];
+  "mqtt/felix.age".publicKeys = [ felschr home-pc home-server ];
+  "mqtt/birgit.age".publicKeys = [ felschr home-pc home-server ];
+  "mqtt/hass.age".publicKeys = [ felschr home-pc home-server ];
+  "mqtt/tasmota.age".publicKeys = [ felschr home-pc home-server ];
+  "mqtt/owntracks.age".publicKeys = [ felschr home-pc home-server ];
+  "mqtt/owntracks-plain.age".publicKeys = [ felschr home-pc home-server ];
+  "cfdyndns.age".publicKeys = [ felschr home-pc home-server ];
+  "owntracks/htpasswd.age".publicKeys = [ felschr home-pc home-server ];
+  "etebase-server.age".publicKeys = [ felschr home-pc home-server ];
+  "miniflux.age".publicKeys = [ felschr home-pc home-server ];
+  "paperless.age".publicKeys = [ felschr home-pc home-server ];
+  "nextcloud/admin.age".publicKeys = [ felschr home-pc home-server ];
+
+  "home-server/hostKey.age".publicKeys = [ felschr home-server ];
+}
--- a/secrets/smtp.age
+++ b/secrets/smtp.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA 43J8smzoqtcwu7PTuDqMKDhrZY4SOTnkW7QPaucr5Ec
+2yzgWNtcIwlzmzemrMViGcSNjaXh1ZByhDuz8rNgJiY
+-> ssh-ed25519 lJaKnA e1Z8S7N7Uy4HXOak0Kv4LmDIwYZwBGtBlj4IhxenGAg
+uX76aQ070jWZSJAukU2PUlbnqc5DRm8inI/K7oQr0aI
+-> ssh-ed25519 lJaKnA jjDu7ZCYJd/acTpA370El9M7r57Cng2nanBZQ1et+Qo
+3kdlDpUQmWeFLjQTxvYIChG7l1tFD9nGdelaxmVUmGE
+-> Nm$>*-grease
+vr3ixslEPoZymosVwpW1M5D5t2W8JMN6/q2/ANyx6cb/mufaXIarQHiEHTM5SKzP
+T1iEoaPmOInemN2mwUozamlpXYN45RmZHGRGkk1SuI9W7VL76SdbkqJJtryJjhE
+--- vIejhGkUPWUAjgWK/mkftMPVYUuiD3ovjz7v/qLa5F8
+†Ó\\ ¨öò'z	¢æšîóL0œ»æÇÑ5·g¸oã»Wá‘‡‘„ÆÇ#¬Ž„ëx•[Ê«<E½°Ø"Ê®Ë& †C‹NzÀ_Œ
--- a/services/etebase.nix
+++ b/services/etebase.nix
@ -5,7 +5,7 @@ in {
  services.etebase-server.enable = true;
  services.etebase-server.openFirewall = true;
  services.etebase-server.settings = {
-    global = { secret_file = "/etc/nixos/secrets/etebase-server"; };
+    global = { secret_file = config.age.secrets.etebase-server.path; };
    allowed_hosts = { allowed_host1 = etebaseHost; };
  };

--- a/services/mail.nix
+++ b/services/mail.nix
@ -14,7 +14,7 @@
      host = "smtp.web.de";
      port = 587;
      user = "felschr@web.de";
-      passwordeval = "cat /etc/nixos/secrets/smtp";
+      passwordeval = "cat ${config.age.secrets.smtp.path}";
      # from = "%U@server.felschr.com";
      from = user;
    };
--- a/services/miniflux.nix
+++ b/services/miniflux.nix
@ -4,7 +4,7 @@ let port = 8002;
 in {
  services.miniflux = {
    enable = true;
-    adminCredentialsFile = "/etc/nixos/secrets/miniflux";
+    adminCredentialsFile = config.age.secrets.miniflux.path;
    config = { LISTEN_ADDR = "localhost:${toString port}"; };
  };

--- a/services/mosquitto.nix
+++ b/services/mosquitto.nix
@ -31,15 +31,15 @@ in {
              "readwrite tasmota/#"
              "readwrite owntracks/#"
            ];
-            hashedPasswordFile = "/etc/nixos/secrets/mqtt/hass";
+            hashedPasswordFile = config.age.secrets.mqtt-hass.path;
          };
          "tasmota" = {
            acl = [ "readwrite tasmota/#" "readwrite homeassistant/#" ];
-            hashedPasswordFile = "/etc/nixos/secrets/mqtt/tasmota";
+            hashedPasswordFile = config.age.secrets.mqtt-tasmota.path;
          };
          "owntracks" = {
            acl = [ "readwrite owntracks/#" ];
-            hashedPasswordFile = "/etc/nixos/secrets/mqtt/owntracks";
+            hashedPasswordFile = config.age.secrets.mqtt-owntracks.path;
          };
        };
      }
@ -49,11 +49,11 @@ in {
        users = {
          "felix" = {
            acl = [ "read owntracks/#" "readwrite owntracks/felix/#" ];
-            hashedPasswordFile = "/etc/nixos/secrets/mqtt/felix";
+            hashedPasswordFile = config.age.secrets.mqtt-felix.path;
          };
          "birgit" = {
            acl = [ "read owntracks/#" "readwrite owntracks/birgit/#" ];
-            hashedPasswordFile = "/etc/nixos/secrets/mqtt/birgit";
+            hashedPasswordFile = config.age.secrets.mqtt-birgit.path;
          };
        };
      }
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@ -10,7 +10,7 @@ in {
    maxUploadSize = "10G";
    config = {
      adminuser = "admin";
-      adminpassFile = "/etc/nixos/secrets/nextcloud/admin";
+      adminpassFile = config.age.secrets.nextcloud-admin.path;
      dbtype = "pgsql";
      dbhost = "/run/postgresql";
    };
--- a/services/owntracks.nix
+++ b/services/owntracks.nix
@ -25,7 +25,7 @@ in {
      ];
      extraOptions = [
        # TODO systemd doesn't substitute variables because it doesn't run in a shell
-        # "-e OTR_PASS=\"$(cat /etc/nixos/secrets/mqtt/owntracks-plain)\""
+        # "-e OTR_PASS=\"$(cat ${config.age.secrets.mqtt-owntracks-plain.path})\""
        "--network=host"
      ];
    };
@ -49,7 +49,7 @@ in {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://localhost:8085";
-        basicAuthFile = "/etc/nixos/secrets/owntracks/htpasswd";
+        basicAuthFile = config.age.secrets.owntracks-htpasswd.path;
      };
    };
  };
--- a/services/paperless.nix
+++ b/services/paperless.nix
@ -2,10 +2,10 @@

 let port = 28981;
 in {
-  services.paperless-ng = {
+  /* services.paperless-ng = {
     enable = true;
     inherit port;
-    passwordFile = "/etc/nixos/secrets/paperless";
+     passwordFile = config.age.secrets.paperless.path;
     extraConfig = {
     PAPERLESS_ADMIN_USER = "felschr";
     PAPERLESS_OCR_LANGUAGE = "deu+eng";
@ -22,4 +22,5 @@ in {
     };
     };
     };
+  */
 }
--- a/services/restic/common.nix
+++ b/services/restic/common.nix
@ -22,8 +22,8 @@ in {
    {
      initialize = true;
      repository = "b2:felschr-backups:/${name}";
-      environmentFile = "/etc/nixos/secrets/restic/b2";
-      passwordFile = "/etc/nixos/secrets/restic/password";
+      environmentFile = config.age.secrets.restic-b2.path;
+      passwordFile = config.age.secrets.restic-password.path;
      timerConfig.OnCalendar = "daily";
      paths = if ripgrep then null else paths;
      dynamicFilesFrom = if ripgrep then
--- a/services/samba/home-pc.nix
+++ b/services/samba/home-pc.nix
@ -13,7 +13,7 @@
      "x-systemd.mount-timeout=5s"

      "uid=1000"
-      "credentials=/etc/nixos/secrets/samba"
+      "credentials=${config.age.secrets.samba.path}"
    ];
  };
 }