9 files changed, 33 insertions, 25 deletions
diff --git a/users/aspen/secrets/bbbg.age b/users/aspen/secrets/bbbg.age
index ebc0df233898..d8294b047191 100644
--- a/users/aspen/secrets/bbbg.age
+++ b/users/aspen/secrets/bbbg.age
Binary files differdiff --git a/users/aspen/secrets/buildkite-ssh-key.age b/users/aspen/secrets/buildkite-ssh-key.age
index d9587f11df4b..062be3b9bd98 100644
--- a/users/aspen/secrets/buildkite-ssh-key.age
+++ b/users/aspen/secrets/buildkite-ssh-key.age
Binary files differdiff --git a/users/aspen/secrets/buildkite-token.age b/users/aspen/secrets/buildkite-token.age
index 320ee06c0937..f55b31fb08ed 100644
--- a/users/aspen/secrets/buildkite-token.age
+++ b/users/aspen/secrets/buildkite-token.age
Binary files differdiff --git a/users/aspen/secrets/cloudflare.age b/users/aspen/secrets/cloudflare.age
index 4f42ee782165..6b3974ec7ab6 100644
--- a/users/aspen/secrets/cloudflare.age
+++ b/users/aspen/secrets/cloudflare.age
Binary files differdiff --git a/users/aspen/secrets/ddclient-password.age b/users/aspen/secrets/ddclient-password.age
index 8d25e3b539bd..bc82063c3a28 100644
--- a/users/aspen/secrets/ddclient-password.age
+++ b/users/aspen/secrets/ddclient-password.age
Binary files differdiff --git a/users/aspen/secrets/secrets.nix b/users/aspen/secrets/secrets.nix
index 5bfb1c3eb08c..778b8ebd6e0a 100644
--- a/users/aspen/secrets/secrets.nix
+++ b/users/aspen/secrets/secrets.nix
@@ -8,7 +8,7 @@ in
 {
   "bbbg.age".publicKeys = [ grfn mugwump bbbg ];
   "cloudflare.age".publicKeys = [ grfn mugwump ];
-  "ddclient-password.age".publicKeys = [ grfn mugwump ];
+  "ddclient-password.age".publicKeys = [ grfn ogopogo ];
   "buildkite-ssh-key.age".publicKeys = [ grfn mugwump ogopogo ];
   "buildkite-token.age".publicKeys = [ grfn mugwump ogopogo ];
   "windtunnel-bot-github-token.age".publicKeys = [ grfn mugwump ogopogo ];
diff --git a/users/aspen/secrets/windtunnel-bot-github-token.age b/users/aspen/secrets/windtunnel-bot-github-token.age
index daae99958276..84e852f4c1f1 100644
--- a/users/aspen/secrets/windtunnel-bot-github-token.age
+++ b/users/aspen/secrets/windtunnel-bot-github-token.age
@@ -1,11 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 CpJBgQ YaZ2VHyXofn2qnxRrOYO4yPPu77BEPFq/cbnfa+5WAA
-VgJQoyJVxirvASD0aDsuzmbNJdIP0kpHa5b72Ri7kr8
--> ssh-ed25519 LfBFbQ cXXW3kQzZL7sU4heujIJGzvfpbX0toL2AgsJl5AZPEg
-mhkKn69c/QeCJhYAFgx/MsHrIrXim3OcjkZ/rrckVLs
--> ssh-ed25519 GeE7sQ /XcP3pWg+aKF1F0sPu6RpYv3Rfj2J/QI0yjg3Wgfjm0
-d+rsgbMlDJx0VrjD4/nO4UcM10hcrLxcPA3QlY1t7sQ
--> "0?-grease k}d?h6 |v
-7mV6AFUdCMCrkmLVQaWJPQ
---- I9Ls9AWMkSFCKw7y4pLoTkeGw7h5iROwXLuUm0nfuj8
-~‚v‰8‚&‚ü£¹3\²Òý.»%$¼›Éº°³tòóˆØQ©ˆÀ¨á”Åé¼Íœ}ˆ—ó,BEÇh
w96”çö?ÓU
\ No newline at end of file
+-> ssh-ed25519 CpJBgQ qVlQpHyewtBSfFIdU8GihXC7JhGbcvQ61ZsJC20wSH4
+mZXwiTICzrG+3aCL67cO6cTWMgHkxhDyBi7tZ8l+QMA
+-> ssh-ed25519 LfBFbQ 78NQxflRkRMW5vSP1BEvASSQU2pZAfMwd7T2+6W7NQs
+u0x986pFtnD9ZqfL3KnRrdYS5z9LRUPJhcmc8FQOuGo
+-> ssh-ed25519 GeE7sQ aqFQGCywSimHNbN5si0PzmESUXwROjrpTe/5UdTyYw4
+X2thEJIyOnNUsA746VwqZhH+44XBfCTvh7VOEg/zew0
+--- ndSgjJv5Tel6ovKl+SBdDHZHlszgsEhOY1HHpNDvf1s
+ÒüI¼ÊÊµu*1ðÄt©(úùºîƒ/œXÀÜË•3È’ï†VGúÁT|Î@·ÌKó¾<}Â§)se¹9`í¶*z
\ No newline at end of file
diff --git a/users/aspen/system/system/machines/mugwump.nix b/users/aspen/system/system/machines/mugwump.nix
index 4cfa11713495..1daa92f25f42 100644
--- a/users/aspen/system/system/machines/mugwump.nix
+++ b/users/aspen/system/system/machines/mugwump.nix
@@ -9,7 +9,6 @@ with lib;
     (depot.path.origSrc + "/ops/modules/prometheus-fail2ban-exporter.nix")
     (depot.path.origSrc + "/users/aspen/xanthous/server/module.nix")
     (depot.third_party.agenix.src + "/modules/age.nix")
-    depot.third_party.ddclient.module
   ];
 
   networking.hostName = "mugwump";
@@ -83,7 +82,6 @@ with lib;
     in
     {
       cloudflare.file = secret "cloudflare";
-      ddclient-password.file = secret "ddclient-password";
 
       buildkite-ssh-key = {
         file = secret "buildkite-ssh-key";
@@ -164,18 +162,6 @@ with lib;
     };
   };
 
-  services.deprecated-ddclient = {
-    package = depot.third_party.ddclient;
-    enable = true;
-    domains = [ "home.gws.fyi" ];
-    interval = "1d";
-    zone = "gws.fyi";
-    protocol = "cloudflare";
-    username = "root@gws.fyi";
-    passwordFile = config.age.secretsDir + "/ddclient-password";
-    quiet = true;
-  };
-
   security.acme.certs."metrics.gws.fyi" = {
     dnsProvider = "cloudflare";
     credentialsFile = config.age.secretsDir + "/cloudflare";
diff --git a/users/aspen/system/system/machines/ogopogo.nix b/users/aspen/system/system/machines/ogopogo.nix
index 4b425246034d..4dbb3d14e6ce 100644
--- a/users/aspen/system/system/machines/ogopogo.nix
+++ b/users/aspen/system/system/machines/ogopogo.nix
@@ -96,4 +96,28 @@
       wal_level = "logical";
     };
   };
+
+  # ddclient
+  age.secrets =
+    let
+      secret = name: depot.users.aspen.secrets."${name}.age";
+    in
+    {
+      ddclient-password.file = secret "ddclient-password";
+    };
+
+  services.ddclient = {
+    enable = true;
+    domains = [ "home.gws.fyi" ];
+    interval = "1d";
+    zone = "gws.fyi";
+    protocol = "cloudflare";
+    username = "root@gws.fyi";
+    passwordFile = config.age.secretsDir + "/ddclient-password";
+    quiet = true;
+  }
+  # TODO(aspen): Remove when upgrading past 4.0.0
+  // lib.optionalAttrs (lib.versionOlder pkgs.ddclient.version "4.0.0") {
+    ssl = false;
+  };
 }