mastodon: move extra config to age-encrypted file

agenix/hosts/sail/config.nix

@@ -36,6 +36,12 @@
       group = "mastodon";
     };
 
+    mastodon-extra-config = {
+      file = ./mastodon/extraConfig.age;
+      owner = "mastodon";
+      group = "mastodon";
+    };
+
     freshrss-user-password = {
       file = ./freshrss/userPassword.age;
       owner = "freshrss";

secrets.nix

@@ -13,6 +13,7 @@ in
   "agenix/hosts/sail/mastodon/secretKeyBase.age".publicKeys = sail;
   "agenix/hosts/sail/mastodon/vapidPrivateKey.age".publicKeys = sail;
   "agenix/hosts/sail/mastodon/vapidPublicKey.age".publicKeys = sail;
+  "agenix/hosts/sail/mastodon/extraConfig.age".publicKeys = sail;
 
   "agenix/hosts/sail/freshrss/userPassword.age".publicKeys = sail;
   "agenix/hosts/sail/freshrss/databasePassword.age".publicKeys = sail;

system/nixos/mastodon.nix

@@ -75,23 +75,9 @@ in
 
     extraConfig = {
       WEB_DOMAIN = web-domain;
-
-      ES_USER = secret.mastodon.elasticsearch.user;
-      ES_PASS = secret.mastodon.elasticsearch.password;
-
-      S3_ENABLED = "true";
-      S3_BUCKET = secret.mastodon.s3.bucket;
-      AWS_ACCESS_KEY_ID = secret.mastodon.s3.accessKeyId;
-      AWS_SECRET_ACCESS_KEY = secret.mastodon.s3.secretAccessKey;
-      S3_PROTOCOL = "https";
-      S3_REGION = secret.mastodon.s3.region;
-      S3_ENDPOINT = secret.mastodon.s3.endpoint;
-      S3_ALIAS_HOST = "mastodon-cdn.kempkens.io";
-      S3_HOSTNAME = "mastodon-cdn.kempkens.io";
-
-      DEEPL_PLAN = "free";
-      DEEPL_API_KEY = secret.mastodon.deepl.apiKey;
     };
+
+    extraEnvFiles = [ config.age.secrets.mastodon-extra-config.path ];
   };
 
   services.nginx = {