From 8798940cad00296d3a9e88988e6678eef670d21a Mon Sep 17 00:00:00 2001
From: Linnnus <linnnus@users.noreply.github.com>
Date: Sat, 30 Sep 2023 12:09:19 +0200
Subject: Move secret management to agenix

- https://nixos.wiki/wiki/Agenix
- https://github.com/ryantm/agenix
- https://jonascarpay.com/posts/2021-07-27-agenix.html
---
 hosts/ahmed/cloudflare-ddns.nix         | 23 +++++++++++++++++++++++
 hosts/ahmed/cloudflare-ddns/default.nix | 23 -----------------------
 hosts/ahmed/configuration.nix           |  2 +-
 hosts/common.nix                        |  3 ++-
 4 files changed, 26 insertions(+), 25 deletions(-)
 create mode 100644 hosts/ahmed/cloudflare-ddns.nix
 delete mode 100644 hosts/ahmed/cloudflare-ddns/default.nix

(limited to 'hosts')

diff --git a/hosts/ahmed/cloudflare-ddns.nix b/hosts/ahmed/cloudflare-ddns.nix
new file mode 100644
index 0000000..58f53b0
--- /dev/null
+++ b/hosts/ahmed/cloudflare-ddns.nix
@@ -0,0 +1,23 @@
+# This module sets up cloudflare-dyndns for <linus.onl>.
+
+{ lib, config, ... }:
+
+let
+
+in
+{
+  age.secrets.cloudflare-dyndns-api-token = {
+    file = ../../secrets/cloudflare-ddns-token.age;
+    # TODO: configure permissions
+  };
+
+  services.cloudflare-dyndns = {
+    enable = true;
+    apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path;
+    proxied = true;
+    domains = [ "linus.onl" ];
+  };
+
+  # Override the systemd service generated by `services.cloudflare-dyndns` to wait for key to be decrypted.
+  systemd.services.cloudflare-dyndns.after = [ "cloudflare-ddns-key.service" ];
+}
diff --git a/hosts/ahmed/cloudflare-ddns/default.nix b/hosts/ahmed/cloudflare-ddns/default.nix
deleted file mode 100644
index 77c799c..0000000
--- a/hosts/ahmed/cloudflare-ddns/default.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-# This module sets up cloudflare-dyndns for <linus.onl>.
-
-{ lib, ... }:
-
-let
-
-in
-{
-  my.secrets.cloudflare-ddns = {
-    source = ./secrets.env;
-    dest = "/run/keys/cloudflare-ddns.env";
-  };
-
-  services.cloudflare-dyndns = {
-    enable = true;
-    apiTokenFile =  "/run/keys/cloudflare-ddns.env";
-    proxied = true;
-    domains = [ "linus.onl" ];
-  };
-
-  # Override the systemd service generated by `services.cloudflare-dyndns` to wait for key to be decrypted.
-  systemd.services.cloudflare-dyndns.after = [ "cloudflare-ddns-key.service" ];
-}
diff --git a/hosts/ahmed/configuration.nix b/hosts/ahmed/configuration.nix
index 7285962..3ac79fb 100644
--- a/hosts/ahmed/configuration.nix
+++ b/hosts/ahmed/configuration.nix
@@ -9,7 +9,7 @@
       ./hardware-configuration.nix
       ./ssh.nix
       ./disable-screen.nix
-      ./cloudflare-ddns
+      ./cloudflare-ddns.nix
     ];
 
   # Create the main user.
diff --git a/hosts/common.nix b/hosts/common.nix
index f18c062..32baeb5 100644
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -1,6 +1,6 @@
 # Shared configuraion regardless of hosts.
 
-{ pkgs, options, self, ... }:
+{ pkgs, options, self, flakeInputs, ... }:
 
 {
   # Enable de facto stable features.
@@ -28,6 +28,7 @@
     comma
     curl
     moreutils
+    flakeInputs.agenix.packages.${system}.default
   ];
 
   # Aliases that are burned into my muscle memory.
-- 
cgit v1.2.3