tadpole: Update WHIB secrets

2025-01-12 12:08:21 +01:00
parent faadb6b488
commit 1fd2f55cbf
13 changed files with 42 additions and 67 deletions
--- a/hosts/tadpole/modules/whib/default.nix
+++ b/hosts/tadpole/modules/whib/default.nix
@@ -1,5 +1,4 @@
 {
-  pkgs,
  lib,
  config,
  ...
@@ -26,26 +25,23 @@ in
      enable = true;

      backend = {
-        signingKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-signing-key.path})";
        domain = "api.whib.ppp.pm";
        useACMEHost = "api.whib.ppp.pm";
+
+        enviromentFiles = [
+          config.age.secrets.whib-backend-env-vars
+          config.age.secrets.whib-postgres-env-vars
+        ];
      };

      postgres = {
-        database = "whib";
-        host = "postgres";
-        port = "5432";
-        user = "whib";
-        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-postgres-password.path})";
+        enviromentFiles = [ config.age.secrets.whib-postgres-env-vars ];

        backup = {
          interval = "*-*-* 00:00:00 UTC";

+          enviromentFile = config.age.secrets.whib-postgres-backup-env-vars;
          gpgPassphraseFile = config.age.secrets.whib-gpg-key.path;
-
-          backblazeBucket = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-bucket.path})";
-          backblazeKeyID = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key-id.path})";
-          backblazeKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key.path})";
        };
      };

@@ -53,19 +49,19 @@ in
        domain = "grafana.whib.ppp.pm";
        useACMEHost = "grafana.whib.ppp.pm";

-        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-grafana-password.path})";
+        enviromentFiles = [ config.age.secrets.whib-grafana-env-vars ];
      };
    };

    age.secrets = {
-      "whib-signing-key".file = ../../../../secrets/tadpole/whib-signing-key.age;
-      "whib-postgres-password".file = ../../../../secrets/tadpole/whib-postgres-password.age;
-      "whib-grafana-password".file = ../../../../secrets/tadpole/whib-grafana-password.age;
+      "whib-backend-env-vars".file = ../../../../secrets/tadpole/whib-backend-env-vars.age;
+      "whib-postgres-env-vars".file = ../../../../secrets/tadpole/whib-postgres-env-vars.age;

+      "whib-postgres-backup-env-vars".file =
+        ../../../../secrets/tadpole/whib-postgres-backup-env-vars.age;
      "whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age;
-      "whib-backblaze-bucket".file = ../../../../secrets/tadpole/whib-backblaze-bucket.age;
-      "whib-backblaze-key-id".file = ../../../../secrets/tadpole/whib-backblaze-key-id.age;
-      "whib-backblaze-key".file = ../../../../secrets/tadpole/whib-backblaze-key.age;
+
+      "whib-grafana-env-vars".file = ../../../../secrets/tadpole/whib-grafana-env-vars.age;
    };
  };
 }