From 93939f46646dc97065825e8931b1d04bd31a3662 Mon Sep 17 00:00:00 2001
From: Daniel Kempkens <daniel+git@kempkens.io>
Date: Sun, 5 Feb 2023 20:32:19 +0100
Subject: [PATCH] mastodon: use agenix

---
 agenix/hosts/sail/config.nix |  36 +++++++++++++++++++++++++++++++++++
 secret/hosts/sail.nix        | Bin 2776 -> 2539 bytes
 secrets.nix                  |   7 +++++++
 system/nixos/mastodon.nix    |  12 ++++++------
 4 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/agenix/hosts/sail/config.nix b/agenix/hosts/sail/config.nix
index a265bd0..daefd36 100644
--- a/agenix/hosts/sail/config.nix
+++ b/agenix/hosts/sail/config.nix
@@ -1,5 +1,41 @@
 {
   age.secrets = {
+    mastodon-database-password = {
+      file = ./mastodon/databasePassword.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
+    mastodon-smtp-password = {
+      file = ./mastodon/smtpPassword.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
+    mastodon-otp-secret = {
+      file = ./mastodon/otpSecret.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
+    mastodon-secret-key-base = {
+      file = ./mastodon/secretKeyBase.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
+    mastodon-vapid-private-key = {
+      file = ./mastodon/vapidPrivateKey.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
+    mastodon-vapid-public-key = {
+      file = ./mastodon/vapidPublicKey.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
     freshrss-user-password = {
       file = ./freshrss/userPassword.age;
       owner = "freshrss";
diff --git a/secret/hosts/sail.nix b/secret/hosts/sail.nix
index 8e8045375dae4746583f1ae7ee6ad84999bfb389..2a60eaf691b23ddc4b5b19d08b608914f9477b06 100644
GIT binary patch
literal 2539
zcmV<H2^97KM@dveQdv+`0HUzT&)=O3u8XLg^}E`mV7jgk$|XYN3V>X;LtKN|lz&RJ
z7NumnUZh0jWsp{Emfthhf*yH!sc@S=@gdX?dVf-a^1*)tC4-Ha3zbHkCFTHbi&ZzG
zt|+M{eX-&Uh|%|s6V7o@V+6qE&AfWgNc{NhyNdhDQpN=;>=O8`LD=n1g#^lb=)1*I
z*8Wt*=I#VEc!p>34?3-C!G2M6Mv@SZEog*!5_T1pO;jE-j!YEb$PInxJ-B4^ozRZn
zePU&LCw6Jxu)=yn;-=B<Gtu)l-YAdQ5=pPD+#zW#!k0G8I&>u(?uk>2>xkk_)RYMg
zm0utPFwk1CT@}<?yfTZaF>o114zl!T!Y|BN9*5Vg)%CM&G1C*{Y#6?NgO^aH4cK?9
zm=q_DO{b6~wOp>TJCD}V?VxBt1B%h~ic~j}R5@FX#)eP-nKx0vYysJAu767%d)Kty
z(EE0{=?ZK)1M=bXmc$LqSYsZ1WWo{}V{1s3fI!i(AEUfFECiMq%YI2OitXysNv*Pr
zEK`c!dK2q2eMkS!gQcDtL~V)Rf+D;|TO^{$JCGN0KD<ikM}7Phuoc_LjV?=-2`v?Z
z3zkhY&e<^ctqizGcdXfLHsGE^HZc+gvRaQiy=pgLsk+FO+Q!y3O@a6e7h@DgcZU-S
z4Ry0fP_e)cc*Oelt$1HW#IEro>UBKmjg&xK_y1xE2j{BM`{N`=v_^%%$GUk?rVzY&
zfz4%hos0ZaMs7A8RLch;dV%OYZ23d!ONxU-a#e<6+Z=54Oc6)G<*SK=#5MFoK563a
zI_ho?4ovlae1LI&r}Jr9vDb8yK>p?W&2^Q#=W_R2SaRc~mg+ocW{y^pw%|nZ5R7-W
z2)*vrM2B%ECW-Qv=BiL6BdYy}RzjAa#agn)lPZwkl?>O@Dd#2haqn57qCibeD84C|
zg>k6{MzZZ~Oz|@KW1!vlx`qCS7ayTh!+w1;VlhW$sP@xO)pr>$F1-!!@c@^koLV$6
zTkzyM2mgNa%Q*u~aYLhF0{sphil{=1Oui1sjmVHsF-|a&ov$akBfAw5U7BmOKtYm+
zQukDZCYzx~--L}Tyk>UY;M&#~{`MSdbyK`E3`O^OGbDbedl8!WvQaQ+YqmH9WD9iY
z#oRyvMFB%<Z>u4j*%U5{IK-IjzpzMl0euN%f2w*M%WK<TH0Ez!Vl|Nvc8FjJRX1%7
z@}@Ul!_0%GN5KW7CY%nxGf_atdTTP!)*C*@RakC_eHb)g`pP4V>Zjsxq&kx~@1z{N
zeH>9xZ(v0Co}^~F+G7R<`Aj(FimBqcc#fe(0Vh00OjlZos>Xz{PSloN>$o>oEj5&`
ze4d_!D{9O|NKZX;pyX3A<;Iz7w?bOa@V>Iy&OTqrUG^wboJ8GO?$9=D_fI6ZT{9Tz
z2n^l$lJXMU3PM!MwU`Ee^aPaUsO{gSB&coxiS+V+kklYCblY(K#@!C733k)XLdR6C
zW7%zEw}o395*mY*@B(XoLi#GTZ43k`8(dmXD{aW@nLjl?MBPNcJxF+b#_KESt(j<c
z_<+ai#-`KN;|~>qP_@)~t3)Z64-baFjxbWFb6>BmCkuJGdMjz)2Nhf=JwC&pT$G2A
z21!0sKZ=}a1|!;l!QoZ+uKU;|E{&F6<keS|C|7-f?MeJKaz>bpM$rhjtQliIls|{0
zY7ZI#$q*})l7^Fb)=s57v*p}lPP`#F+P3?#GcYoXpWSq?;Y6m|d3COrU)c)k2PI0r
z_f6ea+*jOu){KfOyk?FeMXyWX2?2wWPCLuZLemXUMK2Yu1rU5PE7W2aVF@ZFfRs{H
zk74eBq`7>0@d5s^Hh|Jx0<x&I8ymptWsvRwMjI(xV>S>$1RsEWy#Xr?WwWqE)*x*1
zU!9n#dZ00H3Kd+xu<l*MVx-~33<wS!2*PcB<D39x+3=W9(WV_yv^pRf?qhS@t?FsD
zmP0yj_Wt3eS#Id5H^8FTP(Ss_SUS9rHy)39OjMHplV71z^9)SFGlb}x;DJWfT9E}D
zu986Ausq)8Hm-g0Lz57bgIJre1Lcb>1B(A@(ReC1Hv%{&c4{qzRGd!N(5@hTBfD75
zFJxGHK=@Q{$K%)(WBdm~67`$M`Y=q9A7$r<jm68kL7F@)tMX@nKx!L!P)boaVfd<Q
z=R>BB2di4R93Xog%Eit?wH*xxCX0a`jluU$cVeSSgMold0{Vjt5EOgVSKG|w&5C~3
zp8bZB+>c*#v%WOdBzLnO2NNvcqFad0kj5pa;063)1^(XbmvkxWl2TfW64K5FVt}zv
zhQzU2Pu{)tx%yHvsb`iHT<V0!n{c%F<06OWGxK8)r^uxWdHoml?7u8tqFn33EU_a>
z!A-lNsob%4oAEKL#w0gj5Ib4w7`vQ!uA&IMFW?C2JRUV2!;F6}HV*U_Eh18l<-sK0
zkm^^bPIJJSD}oGx#Tb|weXTmb2EW+%_l_D=9v#LBHp1O(-`INlT&D;AxFCtSQB8Re
zHwbZ2Vk;ya_b10w;B%;#LA)0Z_k}l1+(hy1;06jv?zI6PT>L#9VzMC#nC<h%{?CNW
zr^2r~F+V=MCt@FsVZ%$l6gTXrd;tiIBR^zVkmun8F`g@=<lXYMUPP_iR;v3mAc6k{
zj9@@h$0L1{@OmwRHuI@n5xwC28a)<S6x3@1pw{av_)%8%!K>cB#pD#fF9~*b3v1z(
zNy8BnvlIq!nl}Jyk%1{4sHa$!VvWfcjMNy-GYGUUx50k{Wp-0W57d|3TzCGyD2J@f
zIXDEm2hfX__rN;3`4G5|MpVsC<7#rw_6=#*%D4?LU5Hfw^*p=Ln6jcjkVIo6sJG^D
z8N;EXNZ+#bVq=vT`Xh6D9!^%-AQo{e(T^cmK+ios&65&uoE+umg6b)nzQ0#iaW|Xk
z(w~5w2tBqIrY_L~ztzxz)bDy-0vs2o*cwcJk*ne(y-hadJVdip&r$@fl?O9uI;VDp
zcUH@`rgQ=)tg5(%F}EEc5BPIwU%i(d=zeOe$i<PQJIt@G7k9~K5P!V+@0&uU)9?*e
z0(9eUXh5S>$rEJ|I=aOT#d!ZdrMo4E<We_3TZ@|@_Bkd(l!bzU6(N9S?HfK9S@+ya
z&+V11X$myK+_0KwOzYZM%-4hjWOr`gH0F)~EMG62e1;@<o&+~=vNxxO^{;3svGGF(
zMhoI525=sSON1y>-<K(DRt>{X>=u%!RT&*cM1eGhE_Xt-_uSg>O!!Hidx4!yaq=0x
zk{_?*6+FtFN{{(unFCC}7)nlsQwQ4z&hL?a6``H=C!k;LMW}aB#Qo!nYfdwDclaT8
B+SLF6

literal 2776
zcmV;}3McgdM@dveQdv+`0QvSppjMP>)_Y8T{z~1Q=8x`yM6pAS{QE{2h>~VSC<hH!
zZF8szKw^1Bnej*t^~QqUvfZzgZ8r>IeF(n`N>3HGxZ+IFXLQMI3ZJtOmC4rCw!c}f
zek3j-1>pkKq#^8GkdYz1m<F{YO$NSz(VTUP^Otg5b})%vI-?E7nd*%;GJ81Lv^}#Z
z6$a`D?gGG>NtKGuwmgak#+tnhSw#slBU*m81#xPy9%oj1d}$9w5St7H;7AY=LqVFz
zx0P|y!EhJvNihP0<hY3kcyxW_LQ*ft0X&ML52M|9BU%$=@HNh&{Hh^U6~3d++%lqp
z+0TkVqYZyaXnCb=XpMmoOp8I;R?!Lz>hP+mS}0i8!EPAFC&r3$5N9nL?Dz#oH!ZXK
z5M5t-dX7>gk!fgJ`7_m~&n&(g@J?S`D-r3X8#)`Zx}u*O9dj(^yaR2&i?p#CGFx3+
z{vWKT?1TQ(7T1Za$qk`X_SaW8%=D4}FgP{bX3(3l*IFLhAZKZtsB9fnnUXFsTmwX@
zVnE~y9I5z%(?m?G`r#u`ts;0HTn<_o&t@<LyB3$0w@lj9lAZ^2RuG>pJDN9KK7S?m
z0*&s#n{~5?D-`H#O)`@Z><J=79K}bE!c(OR1ZxE*W@`*W;^zSeTO@RLgzhA}DSW?#
z#1axIw)%^!M8b$j5e%<T8p<Ly*zL;W&2|qbJ64Wfc)eS4g=omF5MxM$X2f|TB6hNv
zRZRmIk|iaD;g^})s#8aKC~P7czzNd7<2Z;rB~eb3nEI+iosWA(Kc-?$R-*WVuY^$T
zzteIx-g3t<U;P*70R?4Uz?t;TsB#>y1;<aG`T>Z(%F-g1%mXytENk&y<9BB#uYM4t
zfXU6F-aG-gAY;l(<qu60ocre>#7{txBbfI6D@;uW-RC4`4;9x1Y`YZ%;6hl4w!f%C
z!X|TlpV#_j>M+0d&Nzm%T9P3Ye|qC=zE45wor&{?7gJE(R*-8Cjd}76p)kUC=w9A_
zhfU;spY5SMeP^HxDhHrccr~v%B9>wefFCjdOzuFgQ||xuNr=JLjHB{%OGWUt<{EG7
zw2HgNFE8cgrRzhu1<jNko!V0m{NmiWb){S%?8ULRZ`_xWH2;#~ce4>q9XE(y%nH0x
zEZHf*zsI5kLS6q}AsT+ca2s7ghtHACuTJT7nEkrHWOs4CRD^=15CtjrxG&VPcF7Fb
ztI2;{Xyaq;XccptyAna4CO+~Bp%ajn*=Phy^FpwEQ`Va%VmrjKhD}=iC0cx6Zaf-q
zW@69b^wqQKjCy1id4-;ss1+FD`J)S?@C-do?=bx&M;7J-#!n+Uf)2>6<K1@SQ?e<c
z&nv`Fqz=1Y<J0^I<lbvJ?Vhlmg~5mi2;t@RoaMc|QH)fSG5n+_DJ6_rH>}6*Lo0V-
z3UH_h;G~(9zoKc;;dtEjqFwqhvA5<(qRoyB*5qn<=71u)62617j7m>b<i*_i>j-JL
zBZ}CarWKbJD9lAOwd~6V%h|zB_I(9T@ma|n1Z14PHQF*WerkC8L3<==&c+pc13NSO
zE~ZUF=JH((bw1Zj_*t<nKJJ&bV$c}}o*Vb4wKZ~cLZMl8Uv|v!ON`aN>xovzTpGEf
zB_2W55-VvS;Tbd@SNLH)HR>~=oG-mGNAzsn?46psq<P%}qxwHnxj<V~l(I!QA6-Cs
zTEW7rP_49fxdWOa4=_#f5L=^Etv(dHn6ACuk_}Sq_}!oi0M!Budb(UqSx7HnJlVoJ
z8;AIz(9#ft!^)qHEyWxe2s)OS|GMS{q*pXd1a`1!ZjdmGd_HT}4KVArNgrTH@8WZ%
zP)qzS=RFoHrMv_xMjzISsiv^1?l*s5?g@vt$M)pyMO)X=_lI$rf@F%>z3}nnO5Z)Z
z&L@tOx~0i)*VX#_N+z95b+{J|!?qrb!`X<$1>IkGT&#z@1y0g4A@(E0XO(ryza7m!
z+wLWKK)q5r{N~s||NH775Bb{7!4o4b4<mawibh-1luq<xQiYjQ`*p^wbbwfZ(-CW8
zwScqm&6IWi3rU4?sc`JxAlTMN^`#_f$9s@-L@P+py~mS&JlGg?2jAqfD2s{*YkY0o
zX$`8~UWsWHwdhlNI)OQlBt)9j6}n(oCqsRG3nDWB<%IM1pS7Od)=)UIurP7BtPOrC
zeI=)&WHyDkz*1uZ`mi%ITr^|SH@!SULW-$sXd>-em!id4y`)(s>`Y!NkK!Sf*lF)*
z@zfp07^FAHjo?jB5yf%ugxe6}nbziHU0c|~m8f$%fHN{A7Eg4JgXZQ}^theGtl9!j
z%CuQ2GwfMr7b9Xd%lOx!Z&%xhX60#Sb#Af>U+p)%n!a_T22TW&^5hxLDnxWR0*0Iq
zI4y#Kg?_u1x;rM;ZLO}e!Qb?u+w0Si4+PCAwL@86KVp#+@O&26LP`MnpIp2NFdVfr
zID{eS7jfRwgQ!ti@Y27S&%lM6CE%p@w66a?Ub2mz#$rX{(YpkCd7?^EBY&;Ztt1hh
zT5J;Ec(A@xbG>a4xEux^S636q8BzHSDUgL$Q+UW*`k3u8OPek-SW(2wE1Yj|SIBh=
zPLx`1ZKKrS;_KJ|4I8oRA%OUQBo?CCcsa$*;^Y@0>u?5i6a|y%7=gh9W^1)rZNKku
zUpb~GFZ33h%9}3)Ni(bk^Y|xPB=>5sy8#$xl8%2f1mf%cz$v<$vf=3=A%p1}$*?LN
z&cef!WlIHJn8bH1DZ;l`*{Uc`BJK!9hujJ<nr%I)V$KREL{tTpF@T;A<|L37)zS4G
z4UZNZ?J~aj4PZgMPClqSImz1eIZijnSl*l{J$t(pw*?NX2>s?2wsouTTFmHyd75$*
zq=WHED7`ZPe5$kvg_?VA1-1Mv&`2yCvqjWt80>l!o^KQXXkvh-$zL**zNib!y|cj=
zsM#t0tqs3&sc3-T9g^UOXnL#A@NcGzpgCLDS&)|8dCClAZl#g7WA?~L7xnMf^;${R
z5N7VTo~dh>F`JkU1f+o1q)QCC`=(1&vkMTn^g8m3i`7$shA0su^6&U8=Q{zo7DL_}
zkAR82|7`AS?Z4sw2q#lkZZ$A{>8Lun-Qav-@$l8-dGfnzVy|>JFr1hHH^z9u4VVzz
zSlTzHEan?Cqu2J(cQUDK|Mst61$fuL6i^~TW(|l$xN?v6`r@Hch~(l-^)reKjc*tI
z>2fL{P^U|&6XCw2C$AkTZan*1J_pVkG-~>p)&ISHA=a6kUXY!RzO;{By+#$zDVDq+
z!eP^s3WL05`HZB<G*@WUVNGQI<M}<b-@0)Ft~Lh$EoNGpi$y$kLR&y|w<q{NqwjCT
z?J&sak7@#K4|%%dPt6O=8QL%9{@_C76DRT(jX=bpxrW;4u)L%w_QoL2@XWfCbSFJu
zeH3kh>$_y#b+~lI=US4_Wi7F|7gU?sWNbvwW{w+>UPm8#AAy&Bq2lu#Nrvb6&+4a=
z+fHD;qZdF~>A{JQMI)yDnr%kjkxk{U<IK>j`;K3FdZfVDD}Xw{j5=7%A5&aL0^Y|A
z2NFet+5JHtubr7G*ty=Wf%M#VTR$Ox+FQKl26`r>?Otphm)Vak56SAf3;Ft^dp4FS
e<0_ZF0g4!-)h*~9t}ZF$khNOCU}C4`j^O%CK4P8#

diff --git a/secrets.nix b/secrets.nix
index 765fcc9..19a7585 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -7,6 +7,13 @@ let
 in
 {
   # sail
+  "agenix/hosts/sail/mastodon/databasePassword.age".publicKeys = sail;
+  "agenix/hosts/sail/mastodon/smtpPassword.age".publicKeys = sail;
+  "agenix/hosts/sail/mastodon/otpSecret.age".publicKeys = sail;
+  "agenix/hosts/sail/mastodon/secretKeyBase.age".publicKeys = sail;
+  "agenix/hosts/sail/mastodon/vapidPrivateKey.age".publicKeys = sail;
+  "agenix/hosts/sail/mastodon/vapidPublicKey.age".publicKeys = sail;
+
   "agenix/hosts/sail/freshrss/userPassword.age".publicKeys = sail;
   "agenix/hosts/sail/freshrss/databasePassword.age".publicKeys = sail;
 }
diff --git a/system/nixos/mastodon.nix b/system/nixos/mastodon.nix
index 0de165a..eac13d0 100644
--- a/system/nixos/mastodon.nix
+++ b/system/nixos/mastodon.nix
@@ -30,10 +30,10 @@ in
 
     trustedProxy = "127.0.0.1";
 
-    vapidPublicKeyFile = "/var/lib/mastodon/secrets/vapid-public-key";
-    secretKeyBaseFile = "/var/lib/mastodon/secrets/secret-key-base";
-    otpSecretFile = "/var/lib/mastodon/secrets/otp-secret";
-    vapidPrivateKeyFile = "/var/lib/mastodon/secrets/vapid-private-key";
+    vapidPublicKeyFile = config.age.secrets.mastodon-vapid-public-key.path;
+    secretKeyBaseFile = config.age.secrets.mastodon-secret-key-base.path;
+    otpSecretFile = config.age.secrets.mastodon-otp-secret.path;
+    vapidPrivateKeyFile = config.age.secrets.mastodon-vapid-private-key.path;
 
     database = {
       createLocally = false;
@@ -41,7 +41,7 @@ in
       port = 5432;
       name = "mastodon";
       inherit (secret.mastodon.database) user;
-      inherit (secret.mastodon.database) passwordFile;
+      passwordFile = config.age.secrets.mastodon-database-password.path;
     };
 
     redis = {
@@ -62,7 +62,7 @@ in
       port = 587;
       fromAddress = "mastodon@mg.kempkens.io";
       inherit (secret.mastodon.smtp) user;
-      inherit (secret.mastodon.smtp) passwordFile;
+      passwordFile = config.age.secrets.mastodon-smtp-password.path;
     };
 
     automaticMigrations = true;