Added zitadel masterkey + rewritten agenix secrets module.

2025-07-20 15:34:59 +02:00 · 2025-07-20 15:34:59 +02:00 · 53fb8e06dc
commit 53fb8e06dc
parent 7d59f3cdb1
5 changed files with 49 additions and 34 deletions
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -1,41 +1,41 @@
-{config, ...}: let
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf;
+  inherit (config.niksos) server;
+
  serviceUser = x: config.systemd.services.${x}.serviceConfig.User;
+  abstrServiceUser = x: config.services.${x}.user;
 in {
  age.secrets = {
-    transferSh = {
-      file = ./transfer-sh.age;
-      owner = "jsw";
-    };
-    dcbot = {
-      file = ./dcbot.age;
-      owner =
-        if config.niksos.server
-        then serviceUser "dcbot" # "dcbot" doesn't exist on e.g laptop.
-        else "root";
-    };
-    bread-dcbot = {
-      file = ./bread-dcbot.age;
-      owner =
-        if config.niksos.server
-        then serviceUser "bread-dcbot" # "dcbot" doesn't exist on e.g laptop.
-        else "root";
-    };
    password.file = ./password.age;
-    matrix-registration = {
-      file = ./matrix-registration.age;
-      owner =
-        if config.niksos.server
-        then config.services.matrix-continuwuity.user
-        else "root";
+
+    # NOTE: server things
+    dcbot = mkIf server {
+      file = ./dcbot.age;
+      owner = serviceUser "dcbot"; #
    };
-    cloudflare-acme.file = ./cloudflare-acme.age;
-    mail-admin = {
-      # owner = #FIXME: revert when stopped using docker for stalwart.
-      #   if config.niksos.server
-      #   then serviceUser "stalwart-mail"
-      #   else "root";
+    bread-dcbot = mkIf server {
+      file = ./bread-dcbot.age;
+      owner = "bread-dcbot";
+    };
+    matrix-registration = mkIf server {
+      file = ./matrix-registration.age;
+      owner = abstrServiceUser "matrix-continuwuity";
+    };
+    mail-admin = mkIf server {
+      # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart.
      file = ./mail-admin.age;
    };
-    zitadel.file = ./zitadel.age;
+    zitadel = mkIf server {
+      file = ./zitadel.age;
+      owner = abstrServiceUser "zitadel";
+    };
+    zitadel-key = mkIf server {
+      file = ./zitadel-key.age;
+      owner = abstrServiceUser "zitadel";
+    };
  };
 }