chore(agenix): refactor some secrets

2025-09-27 14:35:04 +02:00
parent 68f1cb9b09
commit f6bb6672bb
7 changed files with 22 additions and 13 deletions
--- a/modules/nixos/services/agenix/default.nix
+++ b/modules/nixos/services/agenix/default.nix
@@ -74,18 +74,11 @@ in {
          wgCredentials.file = "${self}/secrets/wgCredentials.age";
          wgSobotkaPrivateKey.file = "${self}/secrets/wgSobotkaPrivateKey.age";
          gluetunEnvironment.file = "${self}/secrets/gluetunEnvironment.age";
-          nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age";
-          nextcloudCloudflared.file = "${self}/secrets/nextcloudCloudflared.age";
-          vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
-          vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age";
-          pihole.file = "${self}/secrets/pihole.age";
-          slskd.file = "${self}/secrets/slskd.age";
        };
      })
      (mkIf cfg.ziggy.enable {
        secrets = {
          cloudflareDnsCredentialsZiggy.file = "${self}/secrets/cloudflareDnsCredentialsZiggy.age";
-          piholeZiggy.file = "${self}/secrets/piholeZiggy.age";
        };
      })
      (mkIf cfg.toothpc.enable {
--- a/modules/server/nextcloud/default.nix
+++ b/modules/server/nextcloud/default.nix
@@ -2,6 +2,7 @@
  config,
  pkgs,
  lib,
+  self,
  ...
 }: let
  unit = "nextcloud";
@@ -45,6 +46,11 @@ in {
    };
  };
  config = lib.mkIf cfg.enable {
+    age.secrets = {
+      nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age";
+      nextcloudCloudflared.file = "${self}/secrets/nextcloudCloudflared.age";
+    };
+
    server.fail2ban = lib.mkIf config.server.fail2ban.enable {
      jails = {
        nextcloud = {
--- a/modules/server/podman/default.nix
+++ b/modules/server/podman/default.nix
@@ -2,6 +2,7 @@
  config,
  lib,
  pkgs,
+  self,
  ...
 }: let
  srv = config.server;
@@ -121,6 +122,11 @@ in {
  };

  config = lib.mkIf cfg.enable {
+    age.secrets = {
+      pihole.file = "${self}/secrets/${config.networking.hostName}Pihole.age";
+      slskd.file = "${self}/secrets/slskd.age";
+    };
+
    virtualisation = {
      containers.enable = true;
      podman.enable = true;
--- a/modules/server/vaultwarden/default.nix
+++ b/modules/server/vaultwarden/default.nix
@@ -2,14 +2,13 @@
 {
  config,
  lib,
+  self,
  ...
-}:
-let
+}: let
  inherit (lib) mkIf mkEnableOption;
  vcfg = config.services.vaultwarden.config;
  cfg = config.server.vaultwarden;
-in
-{
+in {
  options = {
    server.vaultwarden = {
      enable = mkEnableOption "Enables vaultwarden";
@@ -35,6 +34,11 @@ in
  };

  config = mkIf cfg.enable {
+    age.secrets = {
+      vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
+      vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age";
+    };
+
    server = {
      fail2ban = lib.mkIf config.server.fail2ban.enable {
        jails = {
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -47,14 +47,14 @@ in {
  "wgCredentials.age".publicKeys = core ++ sobotka;
  "wgSobotkaPrivateKey.age".publicKeys = core ++ sobotka;
  "gluetunEnvironment.age".publicKeys = core ++ sobotka;
-  "pihole.age".publicKeys = core ++ sobotka;
+  "sobotkaPihole.age".publicKeys = core ++ sobotka;
  "slskd.age".publicKeys = core ++ sobotka;
  "authentikEnv.age".publicKeys = core ++ sobotka;
  "traefikEnv.age".publicKeys = core ++ sobotka;

  # Ziggy-specific
  "cloudflareDnsCredentialsZiggy.age".publicKeys = core ++ ziggy;
-  "piholeZiggy.age".publicKeys = core ++ ziggy;
+  "ziggyPihole.age".publicKeys = core ++ ziggy;

  # Both sobotka + ziggy (for HA stuff like keepalived)
  "keepalived.age".publicKeys = core ++ sobotka ++ ziggy;
--- a/secrets/sobotkaPihole.age
+++ b/secrets/sobotkaPihole.age
--- a/secrets/ziggyPihole.age
+++ b/secrets/ziggyPihole.age