feat: migrate to agenix for secret management

2026-03-05 15:10:30 -08:00 · 2026-03-05 15:10:30 -08:00 · 8e174ba500
commit 8e174ba500
parent e7e8d154aa
23 changed files with 234 additions and 120 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -12,13 +12,19 @@
    ./modules/ntfy.nix
    ./modules/uptime-kuma.nix
    # mymx module is imported via flake input in flake.nix
-    ./secrets/secrets-scheme.nix
-    # Impure Secrets
-    ./secrets/secrets.nix
  ];

-  # ... (rest of imports block replaced by ./secrets/secrets.nix being added to imports)
-
+  # Agenix secrets
+  age.secrets = {
+    forgejo-db.file = ./secrets/forgejo-db.age;
+    stalwart-admin = { file = ./secrets/stalwart-admin.age; owner = "stalwart-mail"; };
+    searx-env.file = ./secrets/searx-env.age;
+    tailscale-key.file = ./secrets/tailscale-key.age;
+    grafana-secret = { file = ./secrets/grafana-secret.age; owner = "grafana"; };
+    matrix-macaroon = { file = ./secrets/matrix-macaroon.age; owner = "matrix-synapse"; };
+    ntfy-admin-hash.file = ./secrets/ntfy-admin-hash.age;
+    mymx-webhook = { file = ./secrets/mymx-webhook.age; owner = "mymx"; };
+  };

  # Bootloader
  boot.loader.grub.enable = true;
@ -36,7 +42,7 @@
  
  # Users
  users.users.root.openssh.authorizedKeys.keys = [
-    config.mySecrets.sshPublicKey
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu"
  ];

  # SSH - Secure it
@ -77,9 +83,17 @@
    clean.extraArgs = "--keep 2";
  };

+  # Automatic upgrades
+  system.autoUpgrade = {
+    enable = true;
+    dates = "04:00";
+    allowReboot = false;
+  };
+
  # System
  system.stateVersion = "24.05";
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  services.postgresql.package = pkgs.postgresql_15;
  nixpkgs.config.allowUnfree = true; # Allow unfree packages (Minecraft, etc.)

  # Time
@ -89,15 +103,12 @@
  zramSwap.enable = true;
  zramSwap.memoryPercent = 50; 

-  # Secrets handled via ./secrets.nix importing to config.mySecrets
-  environment.etc."secrets/tailscale-auth".text = config.mySecrets.tailscaleKey;
-  environment.etc."secrets/mymx-webhook".text = config.mySecrets.mymxWebhookSecret;
-  services.tailscale.authKeyFile = "/etc/secrets/tailscale-auth";
+  services.tailscale.authKeyFile = config.age.secrets.tailscale-key.path;

  # MyMX
  services.mymx = {
    enable = true;
-    webhookSecretFile = "/etc/secrets/mymx-webhook";
+    webhookSecretFile = config.age.secrets.mymx-webhook.path;
  };
  
  # Allow Tailscale traffic