From 358f84a1d1a225402ab1c88e27452467c741f578 Mon Sep 17 00:00:00 2001
From: thiloho <123883702+thiloho@users.noreply.github.com>
Date: Wed, 1 Nov 2023 00:09:25 +0100
Subject: [PATCH] Utilise Agenix for secret management

---
 flake.lock                              | 12 ++++++------
 nixos-configurations/server/default.nix |  7 ++++---
 nixos-configurations/shared.nix         |  3 ++-
 secrets/discord-bot-token.age           |  9 +++++++++
 secrets/hedgedoc-environment-file.age   | 12 ++++++++++++
 secrets/secrets.nix                     |  7 ++++---
 6 files changed, 37 insertions(+), 13 deletions(-)
 create mode 100644 secrets/discord-bot-token.age
 create mode 100644 secrets/hedgedoc-environment-file.age

diff --git a/flake.lock b/flake.lock
index fd5df6f..0610ec3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -112,11 +112,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1698250431,
-        "narHash": "sha256-qs2gTeH4wpnWPO6Oi6sOhp2IhG0i0DzcnrJxIY3/CP8=",
+        "lastModified": 1698670511,
+        "narHash": "sha256-jQIu3UhBMPHXzVkHQO1O2gg8SVo5lqAVoC6mOaLQcLQ=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "09587fbbc6a669f7725613e044c2577dc5d43ab5",
+        "rev": "8e5416b478e465985eec274bc3a018024435c106",
         "type": "github"
       },
       "original": {
@@ -143,11 +143,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1698134075,
-        "narHash": "sha256-foCD+nuKzfh49bIoiCBur4+Fx1nozo+4C/6k8BYk4sg=",
+        "lastModified": 1698611440,
+        "narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8efd5d1e283604f75a808a20e6cde0ef313d07d4",
+        "rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735",
         "type": "github"
       },
       "original": {
diff --git a/nixos-configurations/server/default.nix b/nixos-configurations/server/default.nix
index fdc9b92..16b4197 100644
--- a/nixos-configurations/server/default.nix
+++ b/nixos-configurations/server/default.nix
@@ -1,4 +1,4 @@
-{ inputs, pkgs, ... }:
+{ inputs, pkgs, config, ... }:
 
 {
   imports = [
@@ -9,6 +9,8 @@
 
   nix.settings.trusted-users = [ "thiloho" ];
 
+  age.secrets.hedgedoc-environment-file.file = ../../secrets/hedgedoc-environment-file.age;
+
   environment.systemPackages = with pkgs; [
     nodejs_20
   ];
@@ -93,7 +95,7 @@
         allowEmailRegister = false;
         email = false;
       };
-      environmentFile = "/var/lib/hedgedoc/hedgedoc.env";
+      environmentFile = config.age.secrets.hedgedoc-environment-file.path;
     };
     postgresql = {
       enable = true;
@@ -147,7 +149,6 @@
   home-manager.users.thiloho = { pkgs, lib, ... }: {
     home = {
       stateVersion = "23.05";
-      packages = [ inputs.agenix.packages."x86_64-linux".default ];
     };
   };
   system.stateVersion = "23.05";
diff --git a/nixos-configurations/shared.nix b/nixos-configurations/shared.nix
index 5964fef..894a783 100644
--- a/nixos-configurations/shared.nix
+++ b/nixos-configurations/shared.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ inputs, pkgs, ... }:
 
 {
   boot = {
@@ -41,5 +41,6 @@
         settings.theme = "ayu_dark";
       };
     };
+    home.packages = [ inputs.agenix.packages."x86_64-linux".default ];
   };
 }
diff --git a/secrets/discord-bot-token.age b/secrets/discord-bot-token.age
new file mode 100644
index 0000000..d96f719
--- /dev/null
+++ b/secrets/discord-bot-token.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 owVgDA GIWZXYxMprQgnKyf6eHbmdAbm2BQ8qmXcNOCx6xACAM
+KxoFMCq6BqOW0ZL+mPz084AsrJiYwd65TQbT3lm5C7Q
+-> ssh-ed25519 dRl0SQ 0lwzyhATdftLsGB+9yk3MWIjROdVDNiXUZ3zlSGMtXQ
+C1PQpcq6mftSr9nWP7wteHQnK4/jNEzWBDPrVdlYg5Q
+-> H\-grease ika_t} ('9'r F[ z6"b$
+FjkIPhH4Cd1a
+--- ERGBSp2uqfpO5fYXK8QfCmM6MOb2oGJ/PchtAV4INdA
+7‘«àæ‰·>ùq®Íbk¤ñ½q>$æÄ[Ì<<<+ëº£w†°ÿrtŸ;uÝ_RÚî(ê¬0za.»É¼Çÿª4f ,ÐyÇkkÜ7¾’·ºöúüßÄ¼ö¯•5áß‹Þ®W¹7!
\ No newline at end of file
diff --git a/secrets/hedgedoc-environment-file.age b/secrets/hedgedoc-environment-file.age
new file mode 100644
index 0000000..d00cb53
--- /dev/null
+++ b/secrets/hedgedoc-environment-file.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 owVgDA DHtVqT+j5nA9m0rjCHkipHlwubKbpJT67M+01uoUwjw
+3wYaa6cLvxMLtOEnplSQKUhG17NJc/okijfjfAjSDoo
+-> ssh-ed25519 dRl0SQ LnEnUGEQcjePdVdnERB77IFCmVXiio1G21/PStdOz38
+kutyH8M+aDP+FbLvspsq253b8CmjMNGf4IjS8Wn3oIM
+-> ,v2y-grease w_I$#z,I
+dUd0PGzi1W34mBbAeuTssZkrTzdLUMDuk/N1OeDNitZkwpphJ999ZSgRRAgU7+nX
+teshu7G0l5dAv8L/1Orso1zFj14DeDGWlQa/MOsFKO1cEntb1SIUHcQBWN0jpICE
+qJ+y
+--- /p24yOUx4CNTSq/1sdYPbFo5/knQeVk37A6fZva0n3c
+—|J9*¤vb¹ËhFU@÷Þ0úéÓ6£ô]}jšûúÒ[Ç—ni=5Ziƒ@áV
+£z³¥ò;k¬«ÆQéFÉÔ—8…ÜðøðÚ"ØDjØdGFs n>ÂÒzÍÄ’•“óMTÈŸ¨øµW¦ë,lþ¦#£²æÁb‚ti#¶€
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 4402453..a4aeddf 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,7 +1,8 @@
 let
-  server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHzBBw5pNpuCg1e9cJcQfcxKuTFZ0cleMkEiRZDxE+qQ thiloho@server";
+  server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN82ukcaWQZcihgh+n0h+ihwTafm64SO1wngibOA6Vro root@server";
+  pc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMkvr+vT7Ik0fjquxb9xQBfVVWJPgrfC+vJZsyG2V+/G thiloho@pc";
 in
 {
-  "hedgedoc-environment-file.age".publicKeys = [ server ];
-  "discord-bot-token.age".publicKeys = [ server ];
+  "hedgedoc-environment-file.age".publicKeys = [ server pc ];
+  "discord-bot-token.age".publicKeys = [ server pc ];
 }
\ No newline at end of file