Added zitadel masterkey + rewritten agenix secrets module.

secrets/default.nix

@@ -1,41 +1,41 @@
-{config, ...}: let
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf;
+  inherit (config.niksos) server;
+
   serviceUser = x: config.systemd.services.${x}.serviceConfig.User;
+  abstrServiceUser = x: config.services.${x}.user;
 in {
   age.secrets = {
-    transferSh = {
-      file = ./transfer-sh.age;
-      owner = "jsw";
-    };
-    dcbot = {
-      file = ./dcbot.age;
-      owner =
-        if config.niksos.server
-        then serviceUser "dcbot" # "dcbot" doesn't exist on e.g laptop.
-        else "root";
-    };
-    bread-dcbot = {
-      file = ./bread-dcbot.age;
-      owner =
-        if config.niksos.server
-        then serviceUser "bread-dcbot" # "dcbot" doesn't exist on e.g laptop.
-        else "root";
-    };
     password.file = ./password.age;
-    matrix-registration = {
+
-      file = ./matrix-registration.age;
+    # NOTE: server things
-      owner =
+    dcbot = mkIf server {
-        if config.niksos.server
+      file = ./dcbot.age;
-        then config.services.matrix-continuwuity.user
+      owner = serviceUser "dcbot"; #
-        else "root";
     };
-    cloudflare-acme.file = ./cloudflare-acme.age;
+    bread-dcbot = mkIf server {
-    mail-admin = {
+      file = ./bread-dcbot.age;
-      # owner = #FIXME: revert when stopped using docker for stalwart.
+      owner = "bread-dcbot";
-      #   if config.niksos.server
+    };
-      #   then serviceUser "stalwart-mail"
+    matrix-registration = mkIf server {
-      #   else "root";
+      file = ./matrix-registration.age;
+      owner = abstrServiceUser "matrix-continuwuity";
+    };
+    mail-admin = mkIf server {
+      # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart.
       file = ./mail-admin.age;
     };
-    zitadel.file = ./zitadel.age;
+    zitadel = mkIf server {
+      file = ./zitadel.age;
+      owner = abstrServiceUser "zitadel";
+    };
+    zitadel-key = mkIf server {
+      file = ./zitadel-key.age;
+      owner = abstrServiceUser "zitadel";
+    };
   };
 }

secrets/secrets.nix

@@ -18,7 +18,7 @@ in {
   "dcbot.age".publicKeys = keys;
   "bread-dcbot.age".publicKeys = keys;
   "matrix-registration.age".publicKeys = keys;
-  "cloudflare-acme.age".publicKeys = keys;
   "mail-admin.age".publicKeys = keys;
   "zitadel.age".publicKeys = keys;
+  "zitadel-key.age".publicKeys = keys;
 }

secrets/zitadel-key.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 GQzYWA 8s7XBtsT4aMey1VsjyPuiR9A23iGVgJlG2Dkw5Bvozo
+0GWZoueNk/hDnytLuHHFY2k+iL+Ine1wIYwQFiq7KCs
+-> ssh-ed25519 MfR7VA dzd732h24b07RcrrRc+P0X1NK976C3K3oU2qDmq9QG0
+6OeYdwuHemkFHrjbOQ/RFmMdsEt8OqIq5vgILNFTI6c
+-> ssh-ed25519 +cvRTg /KyYAI4kuFrZ6kr8tRBe9RSyrWIpzk7zJWshoYm+k10
+Eouuif3FzeKtCldyWDzD/eEj4A1lUrXFw3R/oEm8VgE
+-> ssh-ed25519 WCPLrA Z3Pw+BpqAB41FatChu2fTa7WEf1Px1aCyfQ3hgQpxS0
+CeooAiiIKhMT+apVorjV4bmbupESh3g4oSijGQqe1jA
+-> ssh-ed25519 7/ziYw 8v7lxtYQ++YPwxsvz7AokGHc1TBoF+NLon9BbvK+w3c
+SIlKY5qwo1jsKnP1jfoQjHU77XWfJ5Emy5Nni2qPx5E
+-> ssh-ed25519 VQy60Q teT6TQxAYDs09h8T9BnofmInTLQQ2PWN7qeS8CYDfHE
+7KE9Fpdd+OBVs4F5wp+lBRSJTLZHbrxy8rz+2pbbZ34
+--- aRYzmVbztYklpEcpALzft6JXe4ehgRMo9JfgloHP69s
+F9Y–Âaåy©|WÞª5Z9…kÛLºÎ$Ú;L%zíàklSIZ–òÑÄdyíþG…;Ÿñ’È–B	oðƒ×

system/server/zitadel.nix

@@ -15,7 +15,7 @@ in {
 
       services.zitadel = {
         enable = true;
-        masterKeyFile = "/etc/default/zitadel";
+        masterKeyFile = config.age.secrets.zitadel-key.path;
         settings = {
           inherit Port ExternalDomain;
           ExternalPort = 443;