feat: move secrets to noisebell repo and update

2026-03-17 03:50:26 -07:00 · 2026-03-17 03:50:26 -07:00 · 50f85422e4
commit 50f85422e4
parent 5204cc3af6
8 changed files with 198 additions and 40 deletions
--- a/agenix.nix
+++ b/agenix.nix
@ -10,8 +10,4 @@ in {
  "secrets/matrix-macaroon.age".publicKeys = [ server jet ];
  "secrets/ntfy-admin-hash.age".publicKeys = [ server jet ];
  "secrets/mymx-webhook.age".publicKeys = [ server jet ];
-  "secrets/noisebell-pi-api-key.age".publicKeys = [ server jet ];
-  "secrets/noisebell-inbound-api-key.age".publicKeys = [ server jet ];
-  "secrets/noisebell-discord-token.age".publicKeys = [ server jet ];
-  "secrets/noisebell-discord-webhook-secret.age".publicKeys = [ server jet ];
 }
--- a/flake.lock
+++ b/flake.lock
@ -23,7 +23,46 @@
        "type": "github"
      }
    },
+    "agenix_2": {
+      "inputs": {
+        "darwin": "darwin_2",
+        "home-manager": "home-manager_2",
+        "nixpkgs": [
+          "noisebell",
+          "nixpkgs"
+        ],
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1770165109,
+        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
    "crane": {
+      "locked": {
+        "lastModified": 1773189535,
+        "narHash": "sha256-E1G/Or6MWeP+L6mpQ0iTFLpzSzlpGrITfU2220Gq47g=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "6fa2fb4cf4a89ba49fc9dd5a3eb6cde99d388269",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
+    "crane_2": {
      "locked": {
        "lastModified": 1773115265,
        "narHash": "sha256-5fDkKTYEgue2klksd52WvcXfZdY1EIlbk0QggAwpFog=",
@ -60,6 +99,29 @@
        "type": "github"
      }
    },
+    "darwin_2": {
+      "inputs": {
+        "nixpkgs": [
+          "noisebell",
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@ -82,7 +144,7 @@
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1731533236,
@ -119,6 +181,28 @@
        "type": "github"
      }
    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "noisebell",
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "mymx": {
      "inputs": {
        "nixpkgs": [
@ -157,6 +241,22 @@
      }
    },
    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1773646010,
+        "narHash": "sha256-iYrs97hS7p5u4lQzuNWzuALGIOdkPXvjz7bviiBjUu8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "5b2c2d84341b2afb5647081c1386a80d7a8d8605",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
      "locked": {
        "lastModified": 1744536153,
        "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=",
@ -174,28 +274,66 @@
    },
    "noisebell": {
      "inputs": {
-        "crane": "crane",
+        "agenix": "agenix_2",
        "nixpkgs": [
          "nixpkgs"
        ],
-        "rust-overlay": "rust-overlay_2"
+        "pi-service": "pi-service",
+        "remote": "remote"
      },
      "locked": {
-        "dir": "remote",
-        "lastModified": 1773729127,
-        "narHash": "sha256-KwxwZGlTHOZCCY+pDhwmluZctCSD7tFes87LWQ8h1Sg=",
+        "lastModified": 1773745186,
+        "narHash": "sha256-rxNWtNXvdzLQYAV3Wz6DQIg81Ax0aIgOYBW4KoLALIU=",
        "ref": "refs/heads/main",
-        "rev": "dc7b8cbaddc6a44aa05b2d3f7c42dc98dd24f060",
-        "revCount": 30,
+        "rev": "9ecac57275f3e8140e8919ad1284f1ec3821551c",
+        "revCount": 36,
        "type": "git",
        "url": "https://git.extremist.software/jet/noisebell"
      },
      "original": {
-        "dir": "remote",
        "type": "git",
        "url": "https://git.extremist.software/jet/noisebell"
      }
    },
+    "pi-service": {
+      "inputs": {
+        "crane": "crane",
+        "nixpkgs": "nixpkgs_2",
+        "rust-overlay": "rust-overlay_2"
+      },
+      "locked": {
+        "path": "./pi/pi-service",
+        "type": "path"
+      },
+      "original": {
+        "path": "./pi/pi-service",
+        "type": "path"
+      },
+      "parent": [
+        "noisebell"
+      ]
+    },
+    "remote": {
+      "inputs": {
+        "crane": "crane_2",
+        "nixpkgs": [
+          "noisebell",
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay_3"
+      },
+      "locked": {
+        "path": "./remote",
+        "type": "path"
+      },
+      "original": {
+        "path": "./remote",
+        "type": "path"
+      },
+      "parent": [
+        "noisebell"
+      ]
+    },
    "root": {
      "inputs": {
        "agenix": "agenix",
@ -231,6 +369,29 @@
      "inputs": {
        "nixpkgs": [
          "noisebell",
+          "pi-service",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1773716879,
+        "narHash": "sha256-vXCTasEzzTTd0ZGEuyle20H2hjRom66JeNr7i2ktHD0=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "1a9ddeb45c5751b800331363703641b84d1f41f0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_3": {
+      "inputs": {
+        "nixpkgs": [
+          "noisebell",
+          "remote",
          "nixpkgs"
        ]
      },
@ -248,9 +409,9 @@
        "type": "github"
      }
    },
-    "rust-overlay_3": {
+    "rust-overlay_4": {
      "inputs": {
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
        "lastModified": 1772679930,
@ -296,13 +457,28 @@
        "type": "github"
      }
    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "website": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ],
-        "rust-overlay": "rust-overlay_3"
+        "rust-overlay": "rust-overlay_4"
      },
      "locked": {
        "lastModified": 1773122265,
--- a/flake.nix
+++ b/flake.nix
@ -13,7 +13,7 @@
    website.url = "git+https://git.extremist.software/jet/website";
    website.inputs.nixpkgs.follows = "nixpkgs";

-    noisebell.url = "git+https://git.extremist.software/jet/noisebell?dir=remote";
+    noisebell.url = "git+https://git.extremist.software/jet/noisebell";
    noisebell.inputs.nixpkgs.follows = "nixpkgs";

    agenix.url = "github:ryantm/agenix";
--- a/modules/noisebell.nix
+++ b/modules/noisebell.nix
@ -1,27 +1,27 @@
-{ config, ... }:
+{ config, inputs, ... }:

 {
  users.groups.noisebell = {};
  users.users.noisebell-cache.extraGroups = [ "noisebell" ];
  users.users.noisebell-discord.extraGroups = [ "noisebell" ];

-  age.secrets.noisebell-pi-api-key = {
-    file = ../secrets/noisebell-pi-api-key.age;
+  age.secrets.noisebell-pi-to-cache-key = {
+    file = "${inputs.noisebell}/secrets/pi-to-cache-key.age";
    group = "noisebell";
    mode = "0440";
  };
-  age.secrets.noisebell-inbound-api-key = {
-    file = ../secrets/noisebell-inbound-api-key.age;
+  age.secrets.noisebell-cache-to-pi-key = {
+    file = "${inputs.noisebell}/secrets/cache-to-pi-key.age";
    group = "noisebell";
    mode = "0440";
  };
  age.secrets.noisebell-discord-token = {
-    file = ../secrets/noisebell-discord-token.age;
+    file = "${inputs.noisebell}/secrets/discord-token.age";
    group = "noisebell";
    mode = "0440";
  };
  age.secrets.noisebell-discord-webhook-secret = {
-    file = ../secrets/noisebell-discord-webhook-secret.age;
+    file = "${inputs.noisebell}/secrets/discord-webhook-secret.age";
    group = "noisebell";
    mode = "0440";
  };
@ -31,8 +31,8 @@
    port = 3003;
    domain = "noisebell.extremist.software";
    piAddress = "http://noisebell:80";
-    piApiKeyFile = config.age.secrets.noisebell-pi-api-key.path;
-    inboundApiKeyFile = config.age.secrets.noisebell-inbound-api-key.path;
+    piApiKeyFile = config.age.secrets.noisebell-cache-to-pi-key.path;
+    inboundApiKeyFile = config.age.secrets.noisebell-pi-to-cache-key.path;
    outboundWebhooks = [
      { url = "https://discord.noisebell.extremist.software/webhook"; secretFile = config.age.secrets.noisebell-discord-webhook-secret.path; }
    ];
--- a/secrets/noisebell-discord-token.age
+++ b/secrets/noisebell-discord-token.age
--- a/secrets/noisebell-discord-webhook-secret.age
+++ b/secrets/noisebell-discord-webhook-secret.age
@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 uKftJg 9Ts1I3lKnIiDlkti3wqLkMd/O5J2X7eu3jjzCqCJZEs
-FmoQ/sj9Iyn9mP6WjHAQyNubk5fvl/wq7iV9WmE+Zng
-> ssh-ed25519 Ziw7aw 2n9PloxmkZfOp7CrIlHU8X4gv0FeWqrXzRbuBlurPnU
-0OKghn+2VNq0GhkeUAtNFI7MEMs0iLttqw02a7ticZ0
--- In0BcqmKff+nXF3dc1ArM8dznFJkmwWiDaABguHGaBY
-”<EFBFBD>LÑ»b8v#_Ó„p~À&ÎS³}QF0NƒàÞ1§S~ªå7×Pþ6T¤îuîTªMë)ü§¢Ôï(fÀ0"ÇNƒ¶E¢«Þ;
i
--- a/secrets/noisebell-inbound-api-key.age
+++ b/secrets/noisebell-inbound-api-key.age
@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 uKftJg 8VicSc9Efje62LAEUo1ceUeHSyfqJ56JgkmetY6W/mY
-xixUVxK3vKespUthQG0QmoucnhCgHBDzpIWcnjBj/uY
-> ssh-ed25519 Ziw7aw UpfNqKBiOIM7BDCg9oOQdQ/lXba8vGeKYp00MJTCogs
-Js43kbclj+7yIYPb1htOi8StldIgGlKouIKcbOP8R2w
--- 0qkwj31Z31Fuefmm79uIQsPOAMUqAF7/DOdmRsyb2Ks
-VgîãËk8årà®*÷Œo¡¡Zi…[÷ÆâP<C3A2>ÎÑªÿð¯1Ö¶õ
ô#–Â±Ò‘vlr‹=§Sk/02faÏkk˜3Éc
--- a/secrets/noisebell-pi-api-key.age
+++ b/secrets/noisebell-pi-api-key.age