From c01820a33bb84699a641f538fc8746cbed482c08 Mon Sep 17 00:00:00 2001
From: Oliver Davies <oliver@oliverdavies.dev>
Date: Mon, 9 Dec 2024 22:35:34 +0000
Subject: [PATCH] Use agenix to encrypt secrets

---
 flake.lock                                    | 110 ++++++++++++++++--
 flake.nix                                     |   2 +
 nix/hosts/lemp11/default.nix                  |   8 +-
 nix/hosts/lemp11/secrets.nix                  |   5 +
 .../homelab/tubearchivist-container.nix       |  14 ++-
 nix/secrets/secrets.nix                       |   6 +
 nix/secrets/tubearchivist.age                 |   5 +
 7 files changed, 137 insertions(+), 13 deletions(-)
 create mode 100644 nix/hosts/lemp11/secrets.nix
 create mode 100644 nix/secrets/secrets.nix
 create mode 100644 nix/secrets/tubearchivist.age

diff --git a/flake.lock b/flake.lock
index 8f8a5c7..1964935 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,48 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -21,6 +64,27 @@
       }
     },
     "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
@@ -59,15 +123,15 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1733015953,
-        "narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=",
-        "owner": "nixos",
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
+        "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
         "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
@@ -89,14 +153,46 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1733015953,
+        "narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "disko": "disko",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-2405": "nixpkgs-2405"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index 51b1c7a..cd2267d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,6 +5,8 @@
 
     nixos-hardware.url = "github:NixOS/nixos-hardware/master";
 
+    agenix.url = "github:ryantm/agenix";
+
     disko = {
       inputs.nixpkgs.follows = "nixpkgs";
       url = "github:nix-community/disko";
diff --git a/nix/hosts/lemp11/default.nix b/nix/hosts/lemp11/default.nix
index 6efb755..9b7223c 100644
--- a/nix/hosts/lemp11/default.nix
+++ b/nix/hosts/lemp11/default.nix
@@ -1,3 +1,5 @@
+{ inputs, ... }:
+
 {
   features = {
     cli = {
@@ -17,5 +19,9 @@
     };
   };
 
-  imports = [ ./configuration.nix ];
+  imports = [
+    inputs.agenix.nixosModules.default
+    ./configuration.nix
+    ./secrets.nix
+  ];
 }
diff --git a/nix/hosts/lemp11/secrets.nix b/nix/hosts/lemp11/secrets.nix
new file mode 100644
index 0000000..325699d
--- /dev/null
+++ b/nix/hosts/lemp11/secrets.nix
@@ -0,0 +1,5 @@
+{
+  age.secrets = {
+    tubearchivist.file = ../../secrets/tubearchivist.age;
+  };
+}
diff --git a/nix/modules/nixos/features/homelab/tubearchivist-container.nix b/nix/modules/nixos/features/homelab/tubearchivist-container.nix
index ba8dd32..f8c1f51 100644
--- a/nix/modules/nixos/features/homelab/tubearchivist-container.nix
+++ b/nix/modules/nixos/features/homelab/tubearchivist-container.nix
@@ -29,13 +29,16 @@ in
       image = "bbilly1/tubearchivist-es";
 
       environment = {
-        "ELASTIC_PASSWORD" = "verysecret";
         "ES_JAVA_OPTS" = "-Xms1g -Xmx1g";
         "discovery.type" = "single-node";
         "path.repo" = "/usr/share/elasticsearch/data/snapshot";
         "xpack.security.enabled" = "true";
       };
 
+      environmentFiles = [
+        config.age.secrets.tubearchivist.path
+      ];
+
       volumes = [
         "tubearchivist_es:/usr/share/elasticsearch/data:rw"
       ];
@@ -125,17 +128,18 @@ in
       image = "bbilly1/tubearchivist";
 
       environment = {
-        "ELASTIC_PASSWORD" = "verysecret";
         "ES_URL" = "http://archivist-es:9200";
         "HOST_GID" = "1000";
         "HOST_UID" = "1000";
         "REDIS_HOST" = "archivist-redis";
         "TA_HOST" = "tubearchivist.local";
-        "TA_PASSWORD" = "verysecret";
-        "TA_USERNAME" = "tubearchivist";
-        "TZ" = "America/New_York";
+        "TZ" = "Europe/London";
       };
 
+      environmentFiles = [
+        config.age.secrets.tubearchivist.path
+      ];
+
       volumes = [
         "tubearchivist_cache:/cache:rw"
         "tubearchivist_media:/youtube:rw"
diff --git a/nix/secrets/secrets.nix b/nix/secrets/secrets.nix
new file mode 100644
index 0000000..31ab779
--- /dev/null
+++ b/nix/secrets/secrets.nix
@@ -0,0 +1,6 @@
+let
+  lemp11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZ+ljJKd6uqdAk+fqxwtObI4Stab2N9Bjo4QFHY/v8n";
+in
+{
+  "tubearchivist.age".publicKeys = [ lemp11 ];
+}
diff --git a/nix/secrets/tubearchivist.age b/nix/secrets/tubearchivist.age
new file mode 100644
index 0000000..565b936
--- /dev/null
+++ b/nix/secrets/tubearchivist.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 sHhprA Cbb0hZFbjSm4+wohOIa0rrppM4aiCD2OBxua/UTzjgU
+6E7zItGopz9VqRflgpJAC910cDZ9i85Mz7+PwvIsxPk
+--- oBcUij9hrWy2ol4cLUFlWkFaS/w4byNu42nk3sI0ras
+”XvAœ-rÐ|‚÷ýýk~m›!Ó– <aAhŸÂÆ¸€+äËNšõÉa²qÝLEá Þ×XŒ¢²ÈžºÙ€(äâ$côÌ¦¾4²ðÏªÿYüÉ8c2û_0U“õwí*CµozÊb
\ No newline at end of file