feat(grfn/mugwump): Set up agenix

Start setting up agenix with secrets in //users/grfn/secrets for mugwump, starting with my cloudflare API key which I use for the ddns from my home apartment Change-Id: Ida66cb91da3415357a512039d6c23402f0ae9388 Reviewed-on: https://cl.tvl.fyi/c/depot/+/4683 Reviewed-by: grfn <grfn@gws.fyi> Autosubmit: grfn <grfn@gws.fyi> Tested-by: BuildkiteCI
2021-12-26 15:11:48 -05:00 · 2021-12-26 15:11:48 -05:00 · 169d7fb874
commit 169d7fb874
parent ef62e51b7b
6 changed files with 37 additions and 2 deletions
--- a/users/grfn/system/system/machines/mugwump.nix
+++ b/users/grfn/system/system/machines/mugwump.nix
@ -8,6 +8,7 @@ with lib;
    (modulesPath + "/installer/scan/not-detected.nix")
    "${depot.path}/ops/modules/prometheus-fail2ban-exporter.nix"
    "${depot.path}/users/grfn/xanthous/server/module.nix"
+    "${depot.third_party.agenix.src}/modules/age.nix"
  ];

  networking.hostName = "mugwump";
@ -64,6 +65,12 @@ with lib;

  nix.gc.dates = "monthly";

+  age.secrets = let
+    secret = name: depot.users.grfn.secrets."${name}.age";
+  in {
+    cloudflare.file = secret "cloudflare";
+  };
+
  services.depot.auto-deploy = {
    enable = true;
    interval = "1d";
@ -132,7 +139,7 @@ with lib;
  };

  systemd.services.ddclient.serviceConfig = {
-    EnvironmentFile = "/etc/secrets/cloudflare.env";
+    EnvironmentFile = "/run/agenix/cloudflare";
    DynamicUser = lib.mkForce false;
    ExecStart = lib.mkForce (
      let runtimeDir =
@ -149,7 +156,7 @@ with lib;

  security.acme.certs."metrics.gws.fyi" = {
    dnsProvider = "cloudflare";
-    credentialsFile = "/etc/secrets/cloudflare.env";
+    credentialsFile = "/run/agenix/cloudflare";
    webroot = mkForce null;
  };