From e7c94b293cac9fe44ec5f1e133806cabffc1d170 Mon Sep 17 00:00:00 2001
From: Daniel Kempkens <daniel+git@kempkens.io>
Date: Sun, 5 Feb 2023 21:08:03 +0100
Subject: [PATCH] mastodon: move extra config to age-encrypted file

---
 agenix/hosts/sail/config.nix               |   6 ++++++
 agenix/hosts/sail/mastodon/extraConfig.age | Bin 0 -> 877 bytes
 secret/hosts/sail.nix                      | Bin 2539 -> 2112 bytes
 secrets.nix                                |   1 +
 system/nixos/mastodon.nix                  |  18 ++----------------
 5 files changed, 9 insertions(+), 16 deletions(-)
 create mode 100644 agenix/hosts/sail/mastodon/extraConfig.age

diff --git a/agenix/hosts/sail/config.nix b/agenix/hosts/sail/config.nix
index daefd36..9cdca1a 100644
--- a/agenix/hosts/sail/config.nix
+++ b/agenix/hosts/sail/config.nix
@@ -36,6 +36,12 @@
       group = "mastodon";
     };
 
+    mastodon-extra-config = {
+      file = ./mastodon/extraConfig.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
     freshrss-user-password = {
       file = ./freshrss/userPassword.age;
       owner = "freshrss";
diff --git a/agenix/hosts/sail/mastodon/extraConfig.age b/agenix/hosts/sail/mastodon/extraConfig.age
new file mode 100644
index 0000000000000000000000000000000000000000..ae202a917279488827e4d2dff8e68c3bc2e6e4d5
GIT binary patch
literal 877
zcmV-z1Csn<XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LO>{?aHfJDO
zGj1y|NN!JfFGX}zNH1h^MPWi?Y;;L5QeruCMp<z=O;1d9M=?P#FjWd@Xf;7<IBi;Q
zQDSp-VR~vwZZS}6Lr`REcXMoJcWX6GYfeaKGf`1XRapuxJ|J^*Xf0)AGBq_ZIUr7A
zRy1gLAa8I{YjH|!PD)f$O=4$RQg$$PL~%nlRb)nNIapI;F>*00D?v?KFf&3`3P?9K
zL~&>}NjO$vb2DjnN>fcxOH(jdL~=NKLN`K1NLf%sZ%9aTbXQPk3N1b$C@(E%a%Ew2
zWgs#?JXT+LNFYHVJ1%h{Rb(J`MqOB5Y6@y*P;PZlNH0@uRylD~LPl;%YHxK(Vn|R)
zacNXeQfx_cL`+CeNoaIcFmpn9aWr!<Fl19fHC1bIbucSSLvsoWEiEk|ac@yhYDGw6
zbZtm4Lrh9~Oj&JFV|PJwaBF5ZQ+0AyL@P&ZQ&L1~G*xd3hh_!X{i6oG;q_g9j&xgI
zK16u$_uYd|<8@ZvyP94Udn5JMe%@CUF2T5#{nLkC6%p5K*>RV%T$Syo`)@rM+PIvX
z<%!bNYAj`XuEJ<R?{>6>I*8vp2lLFKjEM!c#5R>WwR&A5g1ueEP0APy<!1)}!iPSc
znUO*q3Q|iu2>S!)k4C?PBTYoJ*jhIO)s+unCPxND4Y+{Ek+26X;GD<OvCObTMgIws
zZ&K3LCtaEDL3aJrp+O=VRyo}MEfU7K(vj&tzoO?QA2s__lh-d(c@&XRJ-gr_#!X-O
z^|AVn0locO{kc15+pHeb>c4}v_`V00Svoa042z|yu$50ZV}v=Fy<Tv)`rAr;dq*~c
zW^e~AXa$(L>$iV{`5(SG{D=_zq^xYerT33nkp82}nc(4VKORZEd0D%kR0%qt{wxOL
zG;{12w=jwMM6XQ>d7CwrtlJ(~1~r$+5S~(z3~)4zK3-nLP4%=<Al433N&8*ka|@;<
ziB9Jq-DiAR;gBivEXWc%>F^sFUq8ILQVXn+DsUvLe9jfXeW)xtCuXa_cOBFQmO)(6
zk-&6$#7l9}>8s3(8biRLzvEA`Cc@_CSBmFk&?!kw7>Zt&wyOtWr6deA0PiEJU5wsd
D;DK*A

literal 0
HcmV?d00001

diff --git a/secret/hosts/sail.nix b/secret/hosts/sail.nix
index 2a60eaf691b23ddc4b5b19d08b608914f9477b06..5e77745743b63ee0fa8f1dedf0a659056fe18b9e 100644
GIT binary patch
literal 2112
zcmV-G2*39LM@dveQdv+`0EJ9=j#B$~PRC-Ti$Qjry~veZ@O4o6`icmO=xmbgj)A*@
zvh!m7RSXe(Zwl-7^A#|vIE%l+{^`YyNU!;qgxEe*LFfevM6|?s2<Eh1isJ);sXuPA
z&h0n3PyHQN7Op+jnL-DjSnWwC7r((B*=P8`K25xqWcwCc@a;9S{zwt<RnfL}38<4o
znwKxOr8Nh7%@@WDG^OK{PM4wUx2Z(~4D#;lt-c$xq?buvfZgv7hYzjW26Fo@e7f#O
z6<C^cN_OPq0M!uQa*P<Fd{XIGV2#tpgFSDDpcXN>P7OS#zm=xZ9)Gq_LDsP|cssxS
zuvxA*AUd}j(so?<>Q;1-D+~^U%?~I)XDN*ivz@@!6SOsxAX>`t+%uzaIaN2we<$pM
zsju+FxJJ2LI&auro1=fqnNV2}Nv+A>!Ir`=;OxwK(>BCX?}d(YXYMl0cNW`iK?Z}S
zefG0Q*kW7sNy?>~B_&ppEsy_aRmh(^gPSxzIB*eAjCS=(n9W}jJ-D#rmsk+SSF>l_
z1;`gMjp#;FXTvh{DL2-%c0$>ov!wv6PGh`XbmNwcU&Ma$h;e0bomlCFtWS*CdE@Bs
z3yr%dwFFc1O7f{81{ePGf+gM}bx&!3hXMKh#>4W+fAdc^+Q|ZIt)Z7Hh*rb!CPGV^
zkq<@!RXc(lpwGMZD^g}vr)u6xIin8!Zq)}tFMlS%j6kGhdu<D!2<uZ=ayrkY9*rC5
zi%c^{bOFkj#RtCFQcDj1Cy^lU;a6KeE=F$&2f~*vc%)~?<BdejYIH>1zE&_)kS`_k
zrtE^K58O(hWi{Fx4e8M;f1IY~>wvdH$qu}V?!cXjN##*y?@d&Ldr#a$jTE`cLG#Nt
zzHwp9q8rg;KDnp3VIR;2zVdzxyO}uQC!Q9T0p?Sxf<bXCoTDWDPf4Xfnozy%`~0F3
z*ruL!vSO@5#SeDWlSR?>3_zbn_ki1|#7p(Fk8b+S)<^N#Yu=uvLmydiBr8iIhKbb#
z>kDWtiSm`B-;%mHlCGUI&>i|Kepcljfk{}iC^$Drr5ArKr75cc%(D`<nw^k8W+J0t
zP>F~oEKT}cf0Wh5o2v(QDoG;XfH6mP^Qb|wr7!~5DwH^$41Urd>0WyH7w@1THNBa+
zGd@6~#e}DuTjwdjoTNJcesk6PSPjqEXcDCZd9KAYzyUxAL1V05jHeD!hLv!=OF`VE
zb9r@v*(glkhnW<eBeC2F@dM1vTmJCl1KohOA+yNX1I9+f#<Og|8r^?{M<&gKi6C_s
zsx`rfu(h1AU60TePJx^FWqQ`Z6A<&DOQ>%`v!)#~?_4KmXot4=pML2@Y1X>FdZ#=!
zKWz#$sJKl8B?Av2sSFAslp*&C7z+_8w_=v7rTMV6+{kDNM3=WWI;^Yc9_rGE&mF#!
zwh!+s_*skV^O5!^X{z5<6)aVhvL_PanIJDyL}D9o3&KH0yRcU>0RP#@2Uvu(0g5A6
z-%UXwnI06v+WAv^Gh-J_!Ra5cZpW@$h}Ujpt#loe%v<rXMXmY1i8pq4&-FCp{$!>t
z=CD?Q^66Vv1hk3#6%tBm9Gvg&a|n#Cz^5;LeU{1-*NW&RT*Dd^UVBBJ9<ZvhnIxJ>
zK}H%&$IJ2zVI%NZWFlPc^Ja!k#>)@w94Z(Le~nUhAuJTt`lg<ZEOmW=3=s|G0=ho{
zXB*hhxB8Y!z0UusK)S?kqW}t$3OO+mOwhnhB~J}S>{K;UB-pkyBk;}5cR84$6L!7=
z&+q{7t2zLMm&d-d2li**_O7<n&29DxxWWQYz40#d2lvh_bS9=tsnJINI=#`ohD~MT
zy#tp|zvYz?(Z;j6Il`9i((kczWgg;AG>P8Gwn+zxaWW>LUioCO#109M0{bRde2>2T
zq!i!gAg9tcE4p;EQmIGB2k1{m9>)p=AF_yW=Sk>#$IRt0HQ-Pdq0E#NP(^YshzlhX
zf@CHb)b5fQT(xG;Gg$tWoRigjKCjJsBO(I!c~8Q6Gy)ed9+DS2%0FTF#JgjkBswfU
z7C`4}Ryh(~z-;lRd!c7x^Q-;zc*74hD6ouaEaSw_^swgy*5?|MZ-Xpc(3rb3uCtrH
zt&`28$cC%Utd#<Ky$*-AHPO=%<5~tuOp6WnH&y^F_Y)*Bz}h#zM?d9ZuPyuJLy(Ml
zRyq3aGkG|Kh|^J{V@ApH_xmM!t|%lm24@j*+Z7?vtCac&2fGGOjQJdY%VAldtGj%C
z5xUy)gCc7a=gJT=Uoops2zV`{H%~|q2e%1?79zzjY1?;;=akxO_}**i@1nKFJLWUj
z7>lBVPsR?mQ2Hv^QC!PdL?a-TlIDwpLwEq9;)3;D{_CK{`-g%&pr3JC05z7R3;dd*
z5r|}Uy-NjGWVkM(nI;j;LRpG6a%j?t)ozku*DiA!=miGa#SnSVVwaRCj{w})B{pTt
z2MGJ^oue*K<slGzSGh4rm}G6c&T*u8<)Y~FbM+w;RMy>3SbT%)m7kK1G|C)Kmrq@Q
z0F15L0<|8dyxctf`=ato#R4$rVp()qoqEqx+;-(zWb|9U$xOpZ@p~YZR8a=0Z(lv4
z!q~po{>!dHSnYJSaMWc{_dg_l7ADBT0}Ospz%~<G!dXetDFx6l%lydA;PKTaxW{j&
za|Ot|Y;hrg<zA{ru%hT5fepLLLy_xtbQCv8m;23r%NR0PsU$OV6|jz&-(&|ask9}|
q71)^dy~gQj5X367YD(5Uxy|60&#<ppGQ1i(T`bBN)XPtX3IXC0mKqoU

literal 2539
zcmV<H2^97KM@dveQdv+`0HUzT&)=O3u8XLg^}E`mV7jgk$|XYN3V>X;LtKN|lz&RJ
z7NumnUZh0jWsp{Emfthhf*yH!sc@S=@gdX?dVf-a^1*)tC4-Ha3zbHkCFTHbi&ZzG
zt|+M{eX-&Uh|%|s6V7o@V+6qE&AfWgNc{NhyNdhDQpN=;>=O8`LD=n1g#^lb=)1*I
z*8Wt*=I#VEc!p>34?3-C!G2M6Mv@SZEog*!5_T1pO;jE-j!YEb$PInxJ-B4^ozRZn
zePU&LCw6Jxu)=yn;-=B<Gtu)l-YAdQ5=pPD+#zW#!k0G8I&>u(?uk>2>xkk_)RYMg
zm0utPFwk1CT@}<?yfTZaF>o114zl!T!Y|BN9*5Vg)%CM&G1C*{Y#6?NgO^aH4cK?9
zm=q_DO{b6~wOp>TJCD}V?VxBt1B%h~ic~j}R5@FX#)eP-nKx0vYysJAu767%d)Kty
z(EE0{=?ZK)1M=bXmc$LqSYsZ1WWo{}V{1s3fI!i(AEUfFECiMq%YI2OitXysNv*Pr
zEK`c!dK2q2eMkS!gQcDtL~V)Rf+D;|TO^{$JCGN0KD<ikM}7Phuoc_LjV?=-2`v?Z
z3zkhY&e<^ctqizGcdXfLHsGE^HZc+gvRaQiy=pgLsk+FO+Q!y3O@a6e7h@DgcZU-S
z4Ry0fP_e)cc*Oelt$1HW#IEro>UBKmjg&xK_y1xE2j{BM`{N`=v_^%%$GUk?rVzY&
zfz4%hos0ZaMs7A8RLch;dV%OYZ23d!ONxU-a#e<6+Z=54Oc6)G<*SK=#5MFoK563a
zI_ho?4ovlae1LI&r}Jr9vDb8yK>p?W&2^Q#=W_R2SaRc~mg+ocW{y^pw%|nZ5R7-W
z2)*vrM2B%ECW-Qv=BiL6BdYy}RzjAa#agn)lPZwkl?>O@Dd#2haqn57qCibeD84C|
zg>k6{MzZZ~Oz|@KW1!vlx`qCS7ayTh!+w1;VlhW$sP@xO)pr>$F1-!!@c@^koLV$6
zTkzyM2mgNa%Q*u~aYLhF0{sphil{=1Oui1sjmVHsF-|a&ov$akBfAw5U7BmOKtYm+
zQukDZCYzx~--L}Tyk>UY;M&#~{`MSdbyK`E3`O^OGbDbedl8!WvQaQ+YqmH9WD9iY
z#oRyvMFB%<Z>u4j*%U5{IK-IjzpzMl0euN%f2w*M%WK<TH0Ez!Vl|Nvc8FjJRX1%7
z@}@Ul!_0%GN5KW7CY%nxGf_atdTTP!)*C*@RakC_eHb)g`pP4V>Zjsxq&kx~@1z{N
zeH>9xZ(v0Co}^~F+G7R<`Aj(FimBqcc#fe(0Vh00OjlZos>Xz{PSloN>$o>oEj5&`
ze4d_!D{9O|NKZX;pyX3A<;Iz7w?bOa@V>Iy&OTqrUG^wboJ8GO?$9=D_fI6ZT{9Tz
z2n^l$lJXMU3PM!MwU`Ee^aPaUsO{gSB&coxiS+V+kklYCblY(K#@!C733k)XLdR6C
zW7%zEw}o395*mY*@B(XoLi#GTZ43k`8(dmXD{aW@nLjl?MBPNcJxF+b#_KESt(j<c
z_<+ai#-`KN;|~>qP_@)~t3)Z64-baFjxbWFb6>BmCkuJGdMjz)2Nhf=JwC&pT$G2A
z21!0sKZ=}a1|!;l!QoZ+uKU;|E{&F6<keS|C|7-f?MeJKaz>bpM$rhjtQliIls|{0
zY7ZI#$q*})l7^Fb)=s57v*p}lPP`#F+P3?#GcYoXpWSq?;Y6m|d3COrU)c)k2PI0r
z_f6ea+*jOu){KfOyk?FeMXyWX2?2wWPCLuZLemXUMK2Yu1rU5PE7W2aVF@ZFfRs{H
zk74eBq`7>0@d5s^Hh|Jx0<x&I8ymptWsvRwMjI(xV>S>$1RsEWy#Xr?WwWqE)*x*1
zU!9n#dZ00H3Kd+xu<l*MVx-~33<wS!2*PcB<D39x+3=W9(WV_yv^pRf?qhS@t?FsD
zmP0yj_Wt3eS#Id5H^8FTP(Ss_SUS9rHy)39OjMHplV71z^9)SFGlb}x;DJWfT9E}D
zu986Ausq)8Hm-g0Lz57bgIJre1Lcb>1B(A@(ReC1Hv%{&c4{qzRGd!N(5@hTBfD75
zFJxGHK=@Q{$K%)(WBdm~67`$M`Y=q9A7$r<jm68kL7F@)tMX@nKx!L!P)boaVfd<Q
z=R>BB2di4R93Xog%Eit?wH*xxCX0a`jluU$cVeSSgMold0{Vjt5EOgVSKG|w&5C~3
zp8bZB+>c*#v%WOdBzLnO2NNvcqFad0kj5pa;063)1^(XbmvkxWl2TfW64K5FVt}zv
zhQzU2Pu{)tx%yHvsb`iHT<V0!n{c%F<06OWGxK8)r^uxWdHoml?7u8tqFn33EU_a>
z!A-lNsob%4oAEKL#w0gj5Ib4w7`vQ!uA&IMFW?C2JRUV2!;F6}HV*U_Eh18l<-sK0
zkm^^bPIJJSD}oGx#Tb|weXTmb2EW+%_l_D=9v#LBHp1O(-`INlT&D;AxFCtSQB8Re
zHwbZ2Vk;ya_b10w;B%;#LA)0Z_k}l1+(hy1;06jv?zI6PT>L#9VzMC#nC<h%{?CNW
zr^2r~F+V=MCt@FsVZ%$l6gTXrd;tiIBR^zVkmun8F`g@=<lXYMUPP_iR;v3mAc6k{
zj9@@h$0L1{@OmwRHuI@n5xwC28a)<S6x3@1pw{av_)%8%!K>cB#pD#fF9~*b3v1z(
zNy8BnvlIq!nl}Jyk%1{4sHa$!VvWfcjMNy-GYGUUx50k{Wp-0W57d|3TzCGyD2J@f
zIXDEm2hfX__rN;3`4G5|MpVsC<7#rw_6=#*%D4?LU5Hfw^*p=Ln6jcjkVIo6sJG^D
z8N;EXNZ+#bVq=vT`Xh6D9!^%-AQo{e(T^cmK+ios&65&uoE+umg6b)nzQ0#iaW|Xk
z(w~5w2tBqIrY_L~ztzxz)bDy-0vs2o*cwcJk*ne(y-hadJVdip&r$@fl?O9uI;VDp
zcUH@`rgQ=)tg5(%F}EEc5BPIwU%i(d=zeOe$i<PQJIt@G7k9~K5P!V+@0&uU)9?*e
z0(9eUXh5S>$rEJ|I=aOT#d!ZdrMo4E<We_3TZ@|@_Bkd(l!bzU6(N9S?HfK9S@+ya
z&+V11X$myK+_0KwOzYZM%-4hjWOr`gH0F)~EMG62e1;@<o&+~=vNxxO^{;3svGGF(
zMhoI525=sSON1y>-<K(DRt>{X>=u%!RT&*cM1eGhE_Xt-_uSg>O!!Hidx4!yaq=0x
zk{_?*6+FtFN{{(unFCC}7)nlsQwQ4z&hL?a6``H=C!k;LMW}aB#Qo!nYfdwDclaT8
B+SLF6

diff --git a/secrets.nix b/secrets.nix
index 19a7585..339484b 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -13,6 +13,7 @@ in
   "agenix/hosts/sail/mastodon/secretKeyBase.age".publicKeys = sail;
   "agenix/hosts/sail/mastodon/vapidPrivateKey.age".publicKeys = sail;
   "agenix/hosts/sail/mastodon/vapidPublicKey.age".publicKeys = sail;
+  "agenix/hosts/sail/mastodon/extraConfig.age".publicKeys = sail;
 
   "agenix/hosts/sail/freshrss/userPassword.age".publicKeys = sail;
   "agenix/hosts/sail/freshrss/databasePassword.age".publicKeys = sail;
diff --git a/system/nixos/mastodon.nix b/system/nixos/mastodon.nix
index eac13d0..eca011e 100644
--- a/system/nixos/mastodon.nix
+++ b/system/nixos/mastodon.nix
@@ -75,23 +75,9 @@ in
 
     extraConfig = {
       WEB_DOMAIN = web-domain;
-
-      ES_USER = secret.mastodon.elasticsearch.user;
-      ES_PASS = secret.mastodon.elasticsearch.password;
-
-      S3_ENABLED = "true";
-      S3_BUCKET = secret.mastodon.s3.bucket;
-      AWS_ACCESS_KEY_ID = secret.mastodon.s3.accessKeyId;
-      AWS_SECRET_ACCESS_KEY = secret.mastodon.s3.secretAccessKey;
-      S3_PROTOCOL = "https";
-      S3_REGION = secret.mastodon.s3.region;
-      S3_ENDPOINT = secret.mastodon.s3.endpoint;
-      S3_ALIAS_HOST = "mastodon-cdn.kempkens.io";
-      S3_HOSTNAME = "mastodon-cdn.kempkens.io";
-
-      DEEPL_PLAN = "free";
-      DEEPL_API_KEY = secret.mastodon.deepl.apiKey;
     };
+
+    extraEnvFiles = [ config.age.secrets.mastodon-extra-config.path ];
   };
 
   services.nginx = {