feat: migrate to agenix for secret management

modules/caddy.nix

@@ -170,5 +170,4 @@
   # Ensure Caddy can read the certs too now that they are in the acme group
   users.users.caddy.extraGroups = [ "acme" ];
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }

modules/forgejo.nix

@@ -14,12 +14,8 @@
       };
       # You can configure SMTP here using secrets if needed
     };
-    # Secret for DB password
-    settings.database.PASSWORD = config.mySecrets.forgejoDb;
+    database.passwordFile = config.age.secrets.forgejo-db.path;
   };
 
-  services.postgresql = {
-    enable = true;
-    package = pkgs.postgresql_15;
-  };
+  services.postgresql.enable = true;
 }

modules/mail.nix

@@ -43,7 +43,7 @@
       
       authentication.fallback-admin = {
         user = "admin";
-        secret = config.mySecrets.stalwartAdmin;
+        secret = "%{file:/run/agenix/stalwart-admin}%";
       };
     };
   };
@@ -51,10 +51,4 @@
   # Allow Stalwart to read the ACME certificate procured for Caddy
   systemd.services.stalwart.serviceConfig.SupplementaryGroups = [ "acme" ];
 
-  # Open Firewalls for Mail
-  networking.firewall.allowedTCPPorts = [ 
-    993        # IMAP (Secure)
-    4190       # Sieve
-    8080       # Admin UI (Reverse proxied, but good to double check loopback)
-  ];
 }

modules/matrix.nix

@@ -3,6 +3,7 @@
 {
   services.matrix-synapse = {
     enable = true;
+    extraConfigFiles = [ config.age.secrets.matrix-macaroon.path ];
     settings = {
       server_name = "extremist.software";
       public_baseurl = "https://matrix.extremist.software";
@@ -24,8 +25,6 @@
       ];
       
       enable_registration = false;
-      registration_shared_secret = "extremist_software_admin_creation";
-      macaroon_secret_key = config.mySecrets.matrixMacaroon;
       database = {
         name = "psycopg2";
         allow_unsafe_locale = true;

modules/monitoring.nix

@@ -31,7 +31,7 @@
         domain = "status.extremist.software";
       };
       security = {
-        secret_key = config.mySecrets.grafanaSecret;
+        secret_key = "$__file{/run/agenix/grafana-secret}";
       };
     };
     provision = {

modules/ntfy.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   services.ntfy-sh = {
@@ -10,12 +10,22 @@
       auth-file = "/var/lib/ntfy-sh/user.db";
       auth-default-access = "deny-all";
       enable-login = true;
-      auth-users = [
-        "jet:${config.mySecrets.ntfyAdminHash}:admin"
-      ];
       auth-access = [
         "*:up*:write-only"
       ];
     };
   };
+
+  # Patch the generated config at runtime to inject the admin bcrypt hash
+  systemd.services.ntfy-sh = {
+    serviceConfig.RuntimeDirectory = "ntfy-sh";
+    serviceConfig.ExecStartPre = let
+      script = pkgs.writeShellScript "ntfy-patch-config" ''
+        cp /etc/ntfy/server.yml /run/ntfy-sh/server.yml
+        HASH=$(cat ${config.age.secrets.ntfy-admin-hash.path})
+        printf '\nauth-users:\n  - "jet:%s:admin"\n' "$HASH" >> /run/ntfy-sh/server.yml
+      '';
+    in [ "+${script}" ];
+    serviceConfig.ExecStart = lib.mkForce "${pkgs.ntfy-sh}/bin/ntfy serve --config /run/ntfy-sh/server.yml";
+  };
 }

modules/searx.nix

@@ -5,11 +5,12 @@
     enable = true;
     package = pkgs.searxng;
     redisCreateLocally = true;
+    environmentFile = config.age.secrets.searx-env.path;
     settings = {
       server = {
         port = 8082;
         bind_address = "127.0.0.1";
-        secret_key = config.mySecrets.searxKey;
+        secret_key = "@SEARXNG_SECRET@";
       };
       search = {
         request_timeout = 1.5;