Move secret management to agenix

- https://nixos.wiki/wiki/Agenix
- https://github.com/ryantm/agenix
- https://jonascarpay.com/posts/2021-07-27-agenix.html

3 files changed, 8 insertions, 7 deletions

diff --git a/hosts/ahmed/cloudflare-ddns/default.nix b/hosts/ahmed/cloudflare-ddns.nix
index 77c799c..58f53b0 100644
--- a/hosts/ahmed/cloudflare-ddns/default.nix
+++ b/hosts/ahmed/cloudflare-ddns.nix
@@ -1,19 +1,19 @@
 # This module sets up cloudflare-dyndns for <linus.onl>.
 
-{ lib, ... }:
+{ lib, config, ... }:
 
 let
 
 in
 {
-  my.secrets.cloudflare-ddns = {
-    source = ./secrets.env;
-    dest = "/run/keys/cloudflare-ddns.env";
+  age.secrets.cloudflare-dyndns-api-token = {
+    file = ../../secrets/cloudflare-ddns-token.age;
+    # TODO: configure permissions
   };
 
   services.cloudflare-dyndns = {
     enable = true;
-    apiTokenFile =  "/run/keys/cloudflare-ddns.env";
+    apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path;
     proxied = true;
     domains = [ "linus.onl" ];
   };
diff --git a/hosts/ahmed/configuration.nix b/hosts/ahmed/configuration.nix
index 7285962..3ac79fb 100644
--- a/hosts/ahmed/configuration.nix
+++ b/hosts/ahmed/configuration.nix
@@ -9,7 +9,7 @@
       ./hardware-configuration.nix
       ./ssh.nix
       ./disable-screen.nix
-      ./cloudflare-ddns
+      ./cloudflare-ddns.nix
     ];
 
   # Create the main user.
diff --git a/hosts/common.nix b/hosts/common.nix
index f18c062..32baeb5 100644
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -1,6 +1,6 @@
 # Shared configuraion regardless of hosts.
 
-{ pkgs, options, self, ... }:
+{ pkgs, options, self, flakeInputs, ... }:
 
 {
   # Enable de facto stable features.
@@ -28,6 +28,7 @@
     comma
     curl
     moreutils
+    flakeInputs.agenix.packages.${system}.default
   ];
 
   # Aliases that are burned into my muscle memory.