18 files changed, 76 insertions, 71 deletions

diff --git a/hosts/tahoe/services.nix b/hosts/tahoe/services.nix
index 535eb8d..9bd9a35 100644
--- a/hosts/tahoe/services.nix
+++ b/hosts/tahoe/services.nix
@@ -1,6 +1,6 @@
 { ... }:
-
-{
+let secrets = config.age.secrets;
+in {
   my.services = {
     samba = {
       enable = true;
@@ -24,7 +24,7 @@
     backup = {
       repository = "/data/slow/backups/systems";
       timerConfig = { oncalendar = "00:15"; };
-      passwordFile = config.age.secrets.restic-repo-systemms.path;
+      passwordFile = secrets."restic/repo-systems".path;
       paths = [ "/data/fast/music" "/data/fast/photos" "/data/fast/videos" ];
     };
   };
diff --git a/lib/default.nix b/lib/default.nix
index 26cd954..4331bf3 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -11,7 +11,6 @@
         inherit inputs system hostname;
       };
       modules = [
-        inputs.agenix.nixosModules.age
         ../modules
         ../profiles
         ../hosts/${hostname}
diff --git a/lib/private-wireguard.nix b/lib/private-wireguard.nix
index 5369c3f..d77c7dd 100644
--- a/lib/private-wireguard.nix
+++ b/lib/private-wireguard.nix
@@ -3,7 +3,7 @@
 let
   inherit (lib) mkEnableOption mkOption mkIf types;
   inherit (builtins) readFile fromTOML fromJSON;
-
+  secrets = config.age.secrets;
   cfg = config.networking.private-wireguard;
   port = 51871;
   wgcfg = fromTOML (readFile ./../configs/wireguard.toml);
@@ -16,22 +16,17 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    age.secrets.wg-privkey = {
-      file = ../secrets/network/${config.networking.hostName}/wireguard_privatekey.age;
-      mode = "0440";
-      owner = "0";
-    };
-
     networking = {
       wireguard.interfaces.wg0 = {
         listenPort = port;
-        privateKeyFile = "/run/agenix/wg-privkey";
+        privateKeyFile =
+          secrets."network/${config.networking.hostName}/wireguard_privatekey".path;
         ips = [
           "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}"
         ];
 
-        peers = lib.mapAttrsToList
-          (name: peer: {
+        peers = lib.mapAttrsToList (name: peer:
+          {
             allowedIPs = [
               "${wgcfg.subnet4}.${toString peer.ipv4}/${toString wgcfg.mask4}"
             ];
@@ -40,8 +35,7 @@ in {
             endpoint = "${peer.externalIp}:${toString port}";
           } // lib.optionalAttrs (!(thisPeer ? externalIp)) {
             persistentKeepalive = 10;
-          })
-          otherPeers;
+          }) otherPeers;
       };
     };
   };
diff --git a/modules/default.nix b/modules/default.nix
index 54aa833..0885f69 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,7 +1,7 @@
 { lib, ... }:
 
 {
-  imports = [ ./hardware ./system ./services ./home ./programs ];
+  imports = [ ./hardware ./system ./services ./home ./programs ./secrets ];
 
   options.my = with lib; {
     user = {
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
new file mode 100644
index 0000000..e6f3a7b
--- /dev/null
+++ b/modules/secrets/default.nix
@@ -0,0 +1,24 @@
+{ config, inputs, lib, options, ... }:
+
+{
+  imports = [ inputs.agenix.nixosModules.age ];
+
+  config.age = {
+    secrets = let
+      toName = lib.removeSuffix ".age";
+      userExists = u: builtins.hasAttr u config.users.users;
+      # Only set the user if it exists, to avoid warnings
+      userIfExists = u: if userExists u then u else "root";
+      toSecret = name:
+        { owner ? "root", ... }: {
+          file = ./. + "/${name}";
+          owner = lib.mkDefault (userIfExists owner);
+        };
+      convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
+      secrets = import ./secrets.nix;
+    in lib.mapAttrs' convertSecrets secrets;
+
+    identityPaths = options.age.identityPaths.default
+      ++ [ "/home/fcuny/.ssh/id_ed25519" ];
+  };
+}
diff --git a/secrets/network/aptos/wireguard_privatekey.age b/modules/secrets/network/aptos/wireguard_privatekey.age
index 2f6edf3..2f6edf3 100644
--- a/secrets/network/aptos/wireguard_privatekey.age
+++ b/modules/secrets/network/aptos/wireguard_privatekey.age
diff --git a/secrets/network/tahoe/wireguard_privatekey.age b/modules/secrets/network/tahoe/wireguard_privatekey.age
index 4304cfe..4304cfe 100644
--- a/secrets/network/tahoe/wireguard_privatekey.age
+++ b/modules/secrets/network/tahoe/wireguard_privatekey.age
diff --git a/secrets/rclone/config.ini.age b/modules/secrets/rclone/config.ini.age
index a017b29..a017b29 100644
--- a/secrets/rclone/config.ini.age
+++ b/modules/secrets/rclone/config.ini.age
diff --git a/secrets/rclone/gcs_service_account.json.age b/modules/secrets/rclone/gcs_service_account.json.age
index 982dd30..982dd30 100644
--- a/secrets/rclone/gcs_service_account.json.age
+++ b/modules/secrets/rclone/gcs_service_account.json.age
diff --git a/secrets/restic/repo-systems.age b/modules/secrets/restic/repo-systems.age
index 79363e6..79363e6 100644
--- a/secrets/restic/repo-systems.age
+++ b/modules/secrets/restic/repo-systems.age
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
new file mode 100644
index 0000000..45b1d33
--- /dev/null
+++ b/modules/secrets/secrets.nix
@@ -0,0 +1,27 @@
+let
+  fcuny_aptos =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdlm/qoR/dnMjZhVSTtqFzkgN3Yf9eQ3pgKMiipg+dl";
+  users = [ fcuny_aptos ];
+
+  aptos =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTcPGaiL+/Mwl8JzLHrBwas7QvWPjix4lnaAA1tw+5t";
+  tahoe =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEq1IQRvj2jofCHOO6M28w2SRdgtHU06NJvwAwv/b69F";
+
+  systems = [ aptos tahoe ];
+in {
+  "network/aptos/wireguard_privatekey.age".publicKeys = [ fcuny_aptos aptos ];
+
+  "network/tahoe/wireguard_privatekey.age".publicKeys =
+    [ fcuny_aptos aptos tahoe ];
+
+  "traefik/gcp_service_account.json.age".publicKeys =
+    [ fcuny_aptos aptos tahoe ];
+
+  "unifi/unifi-poller.age".publicKeys = [ fcuny_aptos aptos tahoe ];
+
+  "restic/repo-systems.age".publicKeys = [ fcuny_aptos aptos tahoe ];
+  "rclone/config.ini.age".publicKeys = [ fcuny_aptos aptos tahoe ];
+  "rclone/gcs_service_account.json.age".publicKeys =
+    [ fcuny_aptos aptos tahoe ];
+}
diff --git a/secrets/traefik/gcp_service_account.json.age b/modules/secrets/traefik/gcp_service_account.json.age
index 0f99905..0f99905 100644
--- a/secrets/traefik/gcp_service_account.json.age
+++ b/modules/secrets/traefik/gcp_service_account.json.age
diff --git a/secrets/unifi/unifi-poller.age b/modules/secrets/unifi/unifi-poller.age
index bd71926..bd71926 100644
--- a/secrets/unifi/unifi-poller.age
+++ b/modules/secrets/unifi/unifi-poller.age
diff --git a/modules/services/backup/default.nix b/modules/services/backup/default.nix
index 52378d3..f74b5f9 100644
--- a/modules/services/backup/default.nix
+++ b/modules/services/backup/default.nix
@@ -11,7 +11,7 @@ in {
     };
 
     passwordFile = mkOption {
-      type = types.str;
+      type = types.path;
       example = "/var/lib/restic/password.txt";
       description = "Read the repository's password from this path";
     };
@@ -70,11 +70,10 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    services.restic.backups = {
+    services.restic.backups.system = {
       # Take care of included and excluded files
       paths = cfg.paths;
-      extraBackupArgs = [ "--verbose=2" ]
-        ++ lib.optional (builtins.length cfg.exclude != 0) excludeArg;
+      extraBackupArgs = [ "--verbose=2" ];
       # Take care of creating the repository if it doesn't exist
       initialize = true;
       inherit (cfg) passwordFile pruneOpts timerConfig repository;
diff --git a/modules/services/rclone/default.nix b/modules/services/rclone/default.nix
index 1ccf5df..1d32aac 100644
--- a/modules/services/rclone/default.nix
+++ b/modules/services/rclone/default.nix
@@ -1,16 +1,13 @@
 { config, pkgs, lib, ... }:
-let cfg = config.my.services.rclone;
+let
+  cfg = config.my.services.rclone;
+  secrets = config.age.secrets;
 in {
   options.my.services.rclone = with lib; {
     enable = mkEnableOption "rclone backup service";
   };
 
   config = lib.mkIf cfg.enable {
-    age.secrets.rclone-gcs-sa.file =
-      ../../../secrets/rclone/gcs_service_account.json.age;
-
-    age.secrets.rclone-config.file = ../../../secrets/rclone/config.ini.age;
-
     systemd = {
       packages = [ pkgs.rclone ];
       timers.rclone-sync = {
@@ -22,8 +19,11 @@ in {
       services.rclone-sync = {
         description = "synchronize restic repository to GCS";
         serviceConfig = let
-          rcloneOptions =
-            "--config=${config.age.secrets.rclone-config.path} --gcs-service-account-file=${config.age.secrets.rclone-gcs-sa.path} --fast-list --verbose";
+          rcloneOptions = "--config=${
+              secrets."rclone/gcs_service_account.json".path
+            } --gcs-service-account-file=${
+              secrets."rclone/config.ini".path
+            } --fast-list --verbose";
         in {
           Type = "oneshot";
           ExecStart = [
diff --git a/modules/services/traefik/default.nix b/modules/services/traefik/default.nix
index d6a8c8c..a5cff3d 100644
--- a/modules/services/traefik/default.nix
+++ b/modules/services/traefik/default.nix
@@ -4,6 +4,7 @@ with lib;
 
 let
   cfg = config.my.services.traefik;
+  secrets = config.age.secrets;
   domainPublic = "fcuny.net";
   domainPrivate = "fcuny.xyz";
   mkServiceConfig = name: url: domain: certResolver: {
@@ -22,11 +23,6 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    age.secrets.traefik_gcp_sa = {
-      file = ../../../secrets/traefik/gcp_service_account.json.age;
-      owner = "traefik";
-    };
-
     services.traefik = {
       enable = true;
 
@@ -94,7 +90,7 @@ in {
     ];
 
     systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE =
-      config.age.secrets.traefik_gcp_sa.path;
+      secrets."traefik/gcp_service_account.json".path;
     systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab";
 
     networking.firewall.allowedTCPPorts = [ 80 443 ];
diff --git a/modules/services/unifi/default.nix b/modules/services/unifi/default.nix
index c36860a..ee5ec6d 100644
--- a/modules/services/unifi/default.nix
+++ b/modules/services/unifi/default.nix
@@ -2,6 +2,7 @@
 
 let
   cfg = config.my.services.unifi;
+  secrets = config.age.secrets;
   allowedRules = {
     # https://help.ubnt.com/hc/en-us/articles/218506997
     allowedTCPPorts = [
@@ -33,20 +34,13 @@ in {
       unifiPackage = pkgs.unifiStable;
     };
 
-    age.secrets.unifi-read-only = {
-      file = ../../../secrets/unifi/unifi-poller.age;
-      mode = "0400";
-      owner = "unifi-poller";
-    };
-
     services.unifi-poller = {
       enable = true;
 
       unifi.defaults = {
         url = "https://127.0.0.1:8443";
         user = "unifipoller";
-        pass = config.age.secrets.unifi-read-only.path;
-
+        pass = secrets."unifi/unifi-poller".path;
         verify_ssl = false;
       };
 
diff --git a/secrets.nix b/secrets.nix
deleted file mode 100644
index ae0efaf..0000000
--- a/secrets.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-let
-  fcuny_aptos =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdlm/qoR/dnMjZhVSTtqFzkgN3Yf9eQ3pgKMiipg+dl";
-  users = [ fcuny_aptos ];
-
-  aptos =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTcPGaiL+/Mwl8JzLHrBwas7QvWPjix4lnaAA1tw+5t";
-  tahoe =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEq1IQRvj2jofCHOO6M28w2SRdgtHU06NJvwAwv/b69F";
-
-  systems = [ aptos tahoe ];
-in {
-  "secrets/network/aptos/wireguard_privatekey.age".publicKeys =
-    [ fcuny_aptos aptos ];
-
-  "secrets/network/tahoe/wireguard_privatekey.age".publicKeys =
-    [ fcuny_aptos aptos tahoe ];
-
-  "secrets/traefik/gcp_service_account.json.age".publicKeys =
-    [ fcuny_aptos aptos tahoe ];
-
-  "secrets/unifi/unifi-poller.age".publicKeys = [ fcuny_aptos aptos tahoe ];
-
-  "secrets/restic/repo-systems.age".publicKeys = [ fcuny_aptos aptos tahoe ];
-  "secrets/rclone/config.ini.age".publicKeys = [ fcuny_aptos aptos tahoe ];
-  "secrets/rclone/gcs_service_account.json.age".publicKeys =
-    [ fcuny_aptos aptos tahoe ];
-}