fix: allow stalwart to read agenix secrets

flake.nix

@@ -37,11 +37,27 @@
       deploy = pkgs.writeShellScriptBin "nhs" ''
         nh os switch --hostname extremist-software --target-host root@extremist-software path:. "$@"
       '';
+      check-secrets = pkgs.writeShellScriptBin "check-secrets" ''
+        set -euo pipefail
+        failed=0
+        for f in secrets/*.age; do
+          last=$(agenix -d "$f" | tail -c 1 | od -An -tx1 | tr -d ' \n')
+          if [ "$last" = "0a" ]; then
+            echo "FAIL: $f has trailing newline"
+            failed=1
+          fi
+        done
+        if [ "$failed" -eq 0 ]; then
+          echo "All secrets OK: no trailing newlines"
+        fi
+        exit $failed
+      '';
     in pkgs.mkShell {
       packages = [
         pkgs.nh
         inputs.agenix.packages.x86_64-linux.default
         deploy
+        check-secrets
       ];
     };
   };

modules/mail.nix

@@ -48,7 +48,8 @@
     };
   };
 
-  # Allow Stalwart to read the ACME certificate procured for Caddy
+  # Allow Stalwart to read the ACME certificate procured for Caddy and the agenix secret
   systemd.services.stalwart.serviceConfig.SupplementaryGroups = [ "acme" ];
+  systemd.services.stalwart.serviceConfig.ReadOnlyPaths = [ "/run/agenix/stalwart-admin" ];
 
 }

secrets/forgejo-db.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 uKftJg mtSxHYyX33fx/dUTpNGgu4ah3X/I6zTB0amu7Ji+iWU
+-> ssh-ed25519 uKftJg Te84EkKqyNTBmTCMcStRmGDVlqxb2OwKjg7IR6gN7RQ
-6EXDWMEoDuDZ36rYqUR52IQFASZb5s0bm3KRyAKIXUg
+lmALupFfrndxzf8mFEy8NG66etMSsjIJ1NsLbNuyT28
--> ssh-ed25519 Ziw7aw zqjgjZGh9C3H/gpuLx+dUC9EngSoHB/feiyCgqss+F4
+-> ssh-ed25519 Ziw7aw psq3NjNBYHq59suobWWYAS+G48z6YkbeWb0H+71w2wc
-MyCY88yFfDSqAr0PbYSg/FbHo+B6rxXBPkVxczgW93E
+4ZtwI6wKGLa0USEdnwspuT9cs0BB9HwLvEJai17RjXM
---- qGC9Dxmqtgm92IqNd3azWYEtkMEwwWRNsuXow6oZjlE
+--- rVkEVIprnhGwC3WExw4sWjBRaFT7Vkqlz6QbcDbDHO0
-›ìX)1±s™tr(fæÕPµ,Û‚7›8Öƒ™	ŠVøÍÖ”·1õ1&%ŒÃ(–¶Fë-úˆD"(–‚7ów=›äéþîßxmÙžãväS
+„M<07>M w«—\±'ÆÖÐJúSÀìì"Ûž ]‰£ÀÌL<C38C>j¸ŠœLÑÂ%ˆ×í~Ÿ˜ê-鉜]jmsq¡
øÒd-d…²qçÆ

secrets/grafana-secret.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 uKftJg 6TMM/HxgvFAlsOOJuEhoKfnN5CcjEvck9BKUXTNQsjk
+-> ssh-ed25519 uKftJg cnnRyonyuZyrP5zVUo6+Bfj1VhZYB35xJJJWGGo/KVc
-Y0G/GK6+t5jFK+cPqovD/oxs1ZLRAprstr27pZ6mb0c
+jVeECdwP9YjFQbdoeC/kKZEnrhoLwjy3XWgY6jtt31A
--> ssh-ed25519 Ziw7aw TQWn+XR8FHTv2+ol4id6hcL3C+Jk92jsB2hHFacoD3o
+-> ssh-ed25519 Ziw7aw Y0P2mFanbPUHD4qm46f8wX/ALlZBaGM9XSaee/q+Tmo
-fr+xO4DvOHLSPn05u6JZi++wBABw0z9WqghdwJ62pz0
++df1wxiglBajeC/IPCVl77MS6DtqFdyu9nz1HN7CmHM
---- PS3uOR8IZPAUoS8XA5WsBcCsLEfTxwS+vW6eHdZy3Fo
+--- pr7sOZ/mI4XaXt/MRT0ToIetQHSPUV4+wkigpd6UhYI
-£È¯Ê”¼1È/Ûœ<C39B>%®öÆr–¹Ë)+í°Ãý0ÚWg¯?hÌJÍYãåÄœ¢Û®öçiÝŒ%[ê=–æyÔd·à˜w§€¦õ,xS
+oÀÛÓôU‰u—lwî)ê6Ö*%’”=þ™:$—Ÿ»[icŒ‰Š@g<+/Î9¢ò//n)6"<22>I~Tœø8%nÀdÞI„aæÅG

secrets/mymx-webhook.age

@@ -1,7 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 uKftJg EC9vi+nqoSqUHET3/4fWoiuW9vTZo5XOB1dc+Fe36U0
+-> ssh-ed25519 uKftJg odmqiQoMit+Hd/clSrfuszRodIE1F8TYqkBlF53t8R8
-FYKWAiLaAbotst3AuOulpgqAg+JHUqD3uWWLk7hxrH8
+BDtfg89wMlSy/qggeUNmDpHgvxq9IZzZq0512OeRXVM
--> ssh-ed25519 Ziw7aw naV+WKfldJhOnIzz13Q9zKSK+z+oRhiVfeEYuG+dtS0
+-> ssh-ed25519 Ziw7aw sf0Bg7dYa9/juDnRN7J98Kr1dYr9LCldjf5mWxH36jE
-/GLmF3ws0aUsSVTAv9zzzD+8Cp/IkMlHWFzv1CbgSiM
+no2kHSXfVPiC3t0Lyz+enlAkVco/6fiNTO2luNhwH+U
---- PdqmGwHvR/R0tqf46e1ZJl/QIzB1qadFtNyONpoQl30
+--- qOuHzmSrOs3h1txQm/Xug7qmCo21EE1QwJudeCfr7yA
-wnÿ4Âò@ŠýÐÞD~Ír³×Ë*þj·®!„-*½ûv})0–<30>±ú´÷ÞÏÉFÛ7)®}rá/>Häè/3åS$	}ÅÙµìû«@¯Ð
+^ˆµ.㔦Q
+ã‹kâá5¿}È›àíÌLòý$
ñgˆÁ¦ØlÿaoÄ>Õê2ÃùÕîNÃŒˆŸi—Bä…8c'’¸¦­ñ

secrets/ntfy-admin-hash.age

@@ -1,8 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 uKftJg Cccnzwl3XTJOW5+IuxDAsiI0L8Fy8JhJnpdERg9qgXU
+-> ssh-ed25519 uKftJg /7GJLSD/uiWfbwND9yBqqVdp+K3d9PjBx7jnZ5QbZhY
-vgvQdUbmwRna+gLjGsmsheGGeG2KIxsWoDw4XAVSjEA
+1hCmQKXosEHtzL43H/i9vKfcN4RnhqKlpH2za4Ba4Ys
--> ssh-ed25519 Ziw7aw vMnvy4HgMvhwALtUI14DmX6LbQiLXROINbJPlVfoW0g
+-> ssh-ed25519 Ziw7aw 3RFUPE4hO518GvAOKe8blRdQeDourskVtPDTZr2/7HM
-FGxDYfiejy2a5W9eZKww1YgQ3mQFTj/mORwBwTsEW80
+4NqNkdP3heZwbSpcEKdDUB5oxhA6ejyfvbVeH5X95rI
---- lThDR400zmmiBqnNmi2QKp2l3z3wCZ0jAxqIROLWn74
+--- xei/y3zeGI2PBxQlSEClf+rwNoGu7B3Fxan5wtjjRVY
-?ż3JĂ€4zýr<C3BD>K
+Úc6>å8òß³©#”¨1ÙÏXl
$¾h}ð‚<C3B0>
kÁ:¼d„öjªÄt
-śk×Ď[<5B>€Ŕĺ“5D/Ň×DTX+lüŹ©frjĐł„±˝v©Î€›ńł,ř…¤•#ę“z*}*Q°Ç¤Jčś´ĺơŽX1<JŃżn<>
+dûtųÙøà祇ÇFhùr¯0W?»ÐêþÃÝ€IãΈôØ)Ewy

secrets/searx-env.age

@@ -1,9 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 uKftJg s5orwA5GrqKWguh/hIhdJGyUP+Vx7iGqoQKuEO48DiY
+-> ssh-ed25519 uKftJg fCoIf0PBF2yEyxTVyQ6TIpYLflTi0o8qvAGDEu9RuEw
-K+CrOTAFATdTsax+GwQBjJkni4IYDnfPdsVop8eMkKs
+Oii/YTr2eypugz2uvYHsVJNBGLuvdAk7ClnM+1QGyo0
--> ssh-ed25519 Ziw7aw 27Zr3vWFaQNfeTxJmNajNkigC5RUcwgz6Qs7183fUTM
+-> ssh-ed25519 Ziw7aw BqlFb0QPKLVQq6fRpnriiksmCJet6niIdAVNLIwS3gQ
-Bmj69hGO8tIZUJG5tiXqZHy+Ft6T5J2iJAYIxyYxZj8
+OHcA1QRQfdTFCo4sNbMhdQy97MB3TX4S7WtcHefQvNc
---- rC5PWCFkjuuPrSWRImrY7IzODjxevS30MFSXdV5qpG4
+--- jH9GM569IxkI0CM4xkIBC3KQRHaO5JIp+e89abfuNtQ
-#N¥<4E>R!F”²3{
+AáO™QŠá ÕÁ
QA…³µÝƒ67ÖÁȶ”¯ÝêYªÀïÛNŸfêJ#œSs	çãZõÛàÌ™–|^;K\jÍVù!œs“gu?|
-!šŠ6Ï1bF?ùœÇ¯ßg!o}$…iR‚½ƒ5øÞ×
-¶ûçjÈõýMÿgÕqµÝÈS,­_r:ªqf‘

secrets/stalwart-admin.age

@@ -1,9 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 uKftJg E7BMWjT2cbnomhydZCaRs5EMKoDGyU9O+NAvKHjflzs
+-> ssh-ed25519 uKftJg Xzdrr1er1AK3AjxaTw5XP+GicbeQ+Ym/64ALuvW9mx4
-8yl7y2iXNrBuCyT05sOatAHiJhizUSFgFJt0NlMZ9pY
+nNmJkCIQRlIRiHpQHfGZYbHGMk5C8EWqz4ewjMjA9O4
--> ssh-ed25519 Ziw7aw PTAzjpRIfFk86q3docaVsh4CbXjDiCNJR2Of8YAYSBQ
+-> ssh-ed25519 Ziw7aw 2vmbeaH1tIoOR+Ao3b0M1Lur4+3USj3jkpYAi+fB6AM
-5WLY3czA6TKBJyTMwGVxSR7kuIVxBDMaKZ41VYgGhN8
+qhNaZ1DaX4zbYqTsWB3sE9PRGWCm48r2+YBuzBz9gO4
---- DHfY8BOaO+vb2MYxX/3XbgAIlwilFEPLRGUlZGJh1g0
+--- WGMdCifHq9HHGKhJa5WI/amy8vatpzb+vEn4uMAMy/g
-<04>{<7B>-L^ﾂ粮8ﾎﾊ;ﾈﾇﾓﾇ碓
+²ðNÁyógXá¾–<EFBFBD>“W4<EFBFBD>…œqÞï©Ê’ÕxyãQÆ<EFBFBD>I6·W(`Ú/É-yŽÚg§³‘¥>B7áD-Óà»@6<>ñxIN‚”š³É'Ñý¸
-･7Лy囹aﾕ]ﾚ€<EFBE9A>,<2C>jEｽ\<5C><>\ｾ
-:"yX<ﾞ	7Xﾈｵ綏ﾕ浜M