feat(grfn/mugwump): Set up agenix r/3454

Start setting up agenix with secrets in //users/grfn/secrets for
mugwump, starting with my cloudflare API key which I use for the ddns
from my home apartment

Change-Id: Ida66cb91da3415357a512039d6c23402f0ae9388
Reviewed-on: https://cl.tvl.fyi/c/depot/+/4683
Reviewed-by: grfn <grfn@gws.fyi>
Autosubmit: grfn <grfn@gws.fyi>
Tested-by: BuildkiteCI

1 files changed, 9 insertions, 2 deletions

diff --git a/users/grfn/system/system/machines/mugwump.nix b/users/grfn/system/system/machines/mugwump.nix
index 9ef428c2399b..d4e61b74a4c6 100644
--- a/users/grfn/system/system/machines/mugwump.nix
+++ b/users/grfn/system/system/machines/mugwump.nix
@@ -8,6 +8,7 @@ with lib;
     (modulesPath + "/installer/scan/not-detected.nix")
     "${depot.path}/ops/modules/prometheus-fail2ban-exporter.nix"
     "${depot.path}/users/grfn/xanthous/server/module.nix"
+    "${depot.third_party.agenix.src}/modules/age.nix"
   ];
 
   networking.hostName = "mugwump";
@@ -64,6 +65,12 @@ with lib;
 
   nix.gc.dates = "monthly";
 
+  age.secrets = let
+    secret = name: depot.users.grfn.secrets."${name}.age";
+  in {
+    cloudflare.file = secret "cloudflare";
+  };
+
   services.depot.auto-deploy = {
     enable = true;
     interval = "1d";
@@ -132,7 +139,7 @@ with lib;
   };
 
   systemd.services.ddclient.serviceConfig = {
-    EnvironmentFile = "/etc/secrets/cloudflare.env";
+    EnvironmentFile = "/run/agenix/cloudflare";
     DynamicUser = lib.mkForce false;
     ExecStart = lib.mkForce (
       let runtimeDir =
@@ -149,7 +156,7 @@ with lib;
 
   security.acme.certs."metrics.gws.fyi" = {
     dnsProvider = "cloudflare";
-    credentialsFile = "/etc/secrets/cloudflare.env";
+    credentialsFile = "/run/agenix/cloudflare";
     webroot = mkForce null;
   };