From 57349dadc34d9dd3d5a6b1c87949ef124aea1ca5 Mon Sep 17 00:00:00 2001
From: Alexander Heldt <me@alexanderheldt.se>
Date: Sun, 12 Jan 2025 12:08:21 +0100
Subject: [PATCH] tadpole: Update `WHIB` secrets

---
 hosts/tadpole/modules/whib/default.nix        |  32 ++++++++----------
 secrets/secrets.nix                           |  10 +++---
 secrets/tadpole/whib-backblaze-bucket.age     |   7 ----
 secrets/tadpole/whib-backblaze-key-id.age     |   8 -----
 secrets/tadpole/whib-backblaze-key.age        |   7 ----
 secrets/tadpole/whib-backend-env-vars.age     |  11 ++++++
 secrets/tadpole/whib-gpg-key.age              |  12 +++----
 secrets/tadpole/whib-grafana-env-vars.age     | Bin 0 -> 407 bytes
 secrets/tadpole/whib-grafana-password.age     | Bin 350 -> 0 bytes
 .../tadpole/whib-postgres-backup-env-vars.age |   7 ++++
 secrets/tadpole/whib-postgres-env-vars.age    | Bin 0 -> 447 bytes
 secrets/tadpole/whib-postgres-password.age    |   7 ----
 secrets/tadpole/whib-signing-key.age          |   8 -----
 13 files changed, 42 insertions(+), 67 deletions(-)
 delete mode 100644 secrets/tadpole/whib-backblaze-bucket.age
 delete mode 100644 secrets/tadpole/whib-backblaze-key-id.age
 delete mode 100644 secrets/tadpole/whib-backblaze-key.age
 create mode 100644 secrets/tadpole/whib-backend-env-vars.age
 create mode 100644 secrets/tadpole/whib-grafana-env-vars.age
 delete mode 100644 secrets/tadpole/whib-grafana-password.age
 create mode 100644 secrets/tadpole/whib-postgres-backup-env-vars.age
 create mode 100644 secrets/tadpole/whib-postgres-env-vars.age
 delete mode 100644 secrets/tadpole/whib-postgres-password.age
 delete mode 100644 secrets/tadpole/whib-signing-key.age

diff --git a/hosts/tadpole/modules/whib/default.nix b/hosts/tadpole/modules/whib/default.nix
index e12e428..2f5c602 100644
--- a/hosts/tadpole/modules/whib/default.nix
+++ b/hosts/tadpole/modules/whib/default.nix
@@ -1,5 +1,4 @@
 {
-  pkgs,
   lib,
   config,
   ...
@@ -26,26 +25,23 @@ in
       enable = true;
 
       backend = {
-        signingKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-signing-key.path})";
         domain = "api.whib.ppp.pm";
         useACMEHost = "api.whib.ppp.pm";
+
+        environmentFiles = [
+          config.age.secrets.whib-backend-env-vars
+          config.age.secrets.whib-postgres-env-vars
+        ];
       };
 
       postgres = {
-        database = "whib";
-        host = "postgres";
-        port = "5432";
-        user = "whib";
-        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-postgres-password.path})";
+        environmentFiles = [ config.age.secrets.whib-postgres-env-vars ];
 
         backup = {
           interval = "*-*-* 00:00:00 UTC";
 
+          environentFile = config.age.secrets.whib-postgres-backup-env-vars;
           gpgPassphraseFile = config.age.secrets.whib-gpg-key.path;
-
-          backblazeBucket = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-bucket.path})";
-          backblazeKeyID = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key-id.path})";
-          backblazeKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key.path})";
         };
       };
 
@@ -53,19 +49,19 @@ in
         domain = "grafana.whib.ppp.pm";
         useACMEHost = "grafana.whib.ppp.pm";
 
-        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-grafana-password.path})";
+        environmentFiles = [ config.age.secrets.whib-grafana-env-vars ];
       };
     };
 
     age.secrets = {
-      "whib-signing-key".file = ../../../../secrets/tadpole/whib-signing-key.age;
-      "whib-postgres-password".file = ../../../../secrets/tadpole/whib-postgres-password.age;
-      "whib-grafana-password".file = ../../../../secrets/tadpole/whib-grafana-password.age;
+      "whib-backend-env-vars".file = ../../../../secrets/tadpole/whib-backend-env-vars.age;
+      "whib-postgres-env-vars".file = ../../../../secrets/tadpole/whib-postgres-env-vars.age;
 
+      "whib-postgres-backup-env-vars".file =
+        ../../../../secrets/tadpole/whib-postgres-backup-env-vars.age;
       "whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age;
-      "whib-backblaze-bucket".file = ../../../../secrets/tadpole/whib-backblaze-bucket.age;
-      "whib-backblaze-key-id".file = ../../../../secrets/tadpole/whib-backblaze-key-id.age;
-      "whib-backblaze-key".file = ../../../../secrets/tadpole/whib-backblaze-key.age;
+
+      "whib-grafana-env-vars".file = ../../../../secrets/tadpole/whib-grafana-env-vars.age;
     };
   };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index a80f3dd..dfe883b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -48,11 +48,9 @@ in {
   "tadpole/alex.tadpole-git.ppp.pm.pub.age".publicKeys = [ tadpole alex ];
   "tadpole/gitea-dbpassword.age".publicKeys = [ tadpole alex ];
 
-  "tadpole/whib-signing-key.age".publicKeys = [ tadpole alex ];
-  "tadpole/whib-postgres-password.age".publicKeys = [ tadpole alex ];
-  "tadpole/whib-grafana-password.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-backend-env-vars.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-postgres-env-vars.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-postgres-backup-env-vars.age".publicKeys = [ tadpole alex ];
   "tadpole/whib-gpg-key.age".publicKeys = [ tadpole alex ];
-  "tadpole/whib-backblaze-bucket.age".publicKeys = [ tadpole alex ];
-  "tadpole/whib-backblaze-key-id.age".publicKeys = [ tadpole alex ];
-  "tadpole/whib-backblaze-key.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-grafana-env-vars.age".publicKeys = [ tadpole alex ];
 }
diff --git a/secrets/tadpole/whib-backblaze-bucket.age b/secrets/tadpole/whib-backblaze-bucket.age
deleted file mode 100644
index 78446dc..0000000
--- a/secrets/tadpole/whib-backblaze-bucket.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 5R7G9A V2ngjouYa4wi42HngK3TQfGRNqZ+gW4iQ01HxdnfNxo
-vvK7WyZkdH/vmeBrC8cs3neLpaZ8RryvYg61sBzf12A
--> ssh-ed25519 +oNaHQ 1pK15FPOkaejA0GfotISM2ATOcE8tsUgZOpL0PONC08
-dDjq/2ZH/FHgLCQHgRaYba/3JtOvHl4k9GgzxyQw+L4
---- yyW+//7KvwvcTHs76bPxtG9TUrFgJzp7KtqaqjP/0GY
-™~É}"[ê~nImö«¦2ÑØtÇËÀTáÏxwÒTÈÍÅ5,5^úûw‰‹6lœèTƒ¦(Ó
\ No newline at end of file
diff --git a/secrets/tadpole/whib-backblaze-key-id.age b/secrets/tadpole/whib-backblaze-key-id.age
deleted file mode 100644
index a8c90e3..0000000
--- a/secrets/tadpole/whib-backblaze-key-id.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 5R7G9A YRCagpPHZ/4X9VyWgxWbugjSdYTzSUD2ncgWunzYVFs
-7SKYPayWt4XGG5YVB3yKt+dpGKOBtJW3E/LZq3eJmGI
--> ssh-ed25519 +oNaHQ EHjg/EH4AbcqEHp27hhJqOLwa9P7sz2iavqIvkBkFQA
-T/2Po7X5FFb575QSxvvE1LqwZpFoDX/gnKLopBw/NMU
---- 2cWhyrmkeeeiYNTyhJri/UHVhLqU0fJ3Py34rzhmr7c
-clNó2ƒÊ˜“y~,lsXü¨½Ãs.«‚4Ð*!³«Ñj‡c
-]uÖÆ·ûz£g“ŠÔö;F
\ No newline at end of file
diff --git a/secrets/tadpole/whib-backblaze-key.age b/secrets/tadpole/whib-backblaze-key.age
deleted file mode 100644
index 7258cf2..0000000
--- a/secrets/tadpole/whib-backblaze-key.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 5R7G9A /exiuF2v+lsAUID7eT53DooUgVnQHsE0lJOPgdbLuzU
-KPZKG2vYo7hczQ9iRTubb8mBUM9F3E19+1T6GExhsJM
--> ssh-ed25519 +oNaHQ 6/BOd1ahNHbKPH6V4DwiSWQ2MFPztTAqBHTc8V1HJFw
-IF8V4HtNQqYzK58WdxYg1e2bfh9T7keV67VR/VzCUz0
---- WuqN3ez4lofmNyDaaKKXA23lFtnd+2VwuG7wT28u0xU
-Ð¡Q™ÙVd«„Èî>\™™äÚÜ‡óT‹îí­ÿ-ÐQ,Ò½þ\;y š×^~òn¹‘VXRs6A­}
\ No newline at end of file
diff --git a/secrets/tadpole/whib-backend-env-vars.age b/secrets/tadpole/whib-backend-env-vars.age
new file mode 100644
index 0000000..28c6017
--- /dev/null
+++ b/secrets/tadpole/whib-backend-env-vars.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 5R7G9A 098fJ/7D7ghIhfoETYu7OoFQA8jZfDRkN2ahMvCHqwI
+CRmQOA68qOd1yPXgEIFDCVP1NqBadCsgny4YDsTMF+0
+-> ssh-ed25519 +oNaHQ /DszHmFUavDkqGG2QCi4wnKGhwu2/Nby3SROBlnIsHk
+lSw/+ogFi5HcjBPP0Q1rVZrLaY514OcTKcvjR+oBDJo
+--- 4pBB/eV/ymB2WPnN5v2HlpYFc/W5hplU0lbp5LQgPBA
+ohùÑH˜“ò?ŒM”œ:s·™N À~tŽ63HSÖÔðI(£Üb¹”EŠD!Ž5:‡Oâ›A†H–X›‹*©uÅ®}rl¥—mÕé>šcF­Söp…^à93$8Î–¬Ÿß
+ó€½Î»Þlz‡ pó{»µTãäCìÓ#¡Ûšƒ/)Ý£|­ZÙ&ö
+¨Â Es	ïUòÕ¿‡úÓÃ
+71</µÝÑ“–Fu`Qår~|qTA©
+T6¨?¯²Ù ý„KêR²šœºwZÝÏñ¬	’„M“dfŒ¥ýï!9vóƒsÇëŸðyÎLIG÷S &\¢o®²äŠ·¸ ¾…HÒö²Vy78²š%Ê€¿¾á2SöQy)JS*]¦é³O-ÆK
\ No newline at end of file
diff --git a/secrets/tadpole/whib-gpg-key.age b/secrets/tadpole/whib-gpg-key.age
index 2683cd9..5f519af 100644
--- a/secrets/tadpole/whib-gpg-key.age
+++ b/secrets/tadpole/whib-gpg-key.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 5R7G9A ORTl5WSeg4vSKUAwzCp9ABRL02SvjFZrBHuWLMbSmxI
-obXt5wHXbfkdOAXwPySZeFelSFwJnCoH1EExtXNmBio
--> ssh-ed25519 +oNaHQ vxTHufUlEwbuztnIsCcprfXonpNUlv1ZcHQpEQjGtz8
-uFym0SgmM6LZRqJrSPMLHI6DLZ5t/WLvKP0dMvM8bUc
---- 7UQLcCs/G20iP2YlwjCEmpFcXgqJfQacqSVGBBPmAbY
-yµÓ†ÅÖ'”_K­f‡3ŠÍ¾ÉXî€ï£_½tu[ù\¾£á—)uKÍÂ,Æ«äzqñ­å|¨1!XöYYág¿7¥¡EÚ›°^žÿ
\ No newline at end of file
+-> ssh-ed25519 5R7G9A Q6V8S5312DQhP0QtPbAlbn+uDER6jpi+gvn40ndmnn0
+soymoaAKbNlYicSbtHhqn54D0zVBHBuHUKngex/VgoM
+-> ssh-ed25519 +oNaHQ cpzCyu/9Jrm9Rx5C/rhuZku6uJWjrlHpCYxWOwuwQWw
+1GA8NsLeOTo/zHs/k0vt/N8hH+2MXfMNRy+qKBqi3fM
+--- 5O74sFn1xDZ53xHM7KHZ+ge7DzdnhyeB0W0znMk7NYQ
+u¡™™²wèDüms"š4¸—ýÙwÞüG¼LÏur	7V`G=	‰¡ã„C¼Èn2±¯n‚§3S~go¡½¾ìõcsþ@7ÂœÆ³
\ No newline at end of file
diff --git a/secrets/tadpole/whib-grafana-env-vars.age b/secrets/tadpole/whib-grafana-env-vars.age
new file mode 100644
index 0000000000000000000000000000000000000000..140bc4cd25402cd12df827e2b7e6daab7449d7e2
GIT binary patch
literal 407
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP4KjDPbX2em3Xaqd
zbIb{MEAc7Lat=2#4s-Hy&Ik`m^(gTV3y4Vd&2<ZP)UGfKj^wJ03@mpxG)~EnGN^Pc
zD@ymP)J}5B&N0+>jq)$ZD+{QyFm*EWFE#cJjYPLiJKrzSBT&K3vm&{m($lEa(A~}7
zB+(!^sJPU*(lp=HGt)e<s3bAm-^a(j$T7svJ(4TPBrl~Z#HiHGA}QE8&(GX3C{sJa
z%sDO8JHXSY(9PJ?-J>!uxFR#ayO>K?S689Zztq?`GQ-(8DImKv-9IfnTfZv3BDY98
zASAiiKRdj{!!<A>qpHxq)RpU9a?sNRlRe4LroE{UEuD4C+Ipdt3nRy@TB~IqOLm3+
z-uLmH1g~*z{DnUP>Tga?`qr46Q@e!W@!?P3jh6PW+bkTfRP%b-CcO{0f6m%*UA^O=
rOr`3-8^N2tdz$_8ZacNjn7KA5XxiTQdE828-#?hdd#e1Q&--uyDWRJG

literal 0
HcmV?d00001

diff --git a/secrets/tadpole/whib-grafana-password.age b/secrets/tadpole/whib-grafana-password.age
deleted file mode 100644
index aed434a737cc11b39f848926970c4282483a925d..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 350
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP4KjDPbW|vf2n}!#
zEyyvlNHi&P4>n74Ds*?%uc&Y<s4@s~Ps&dT_D(TPt?)6(v)~E|i->YJ&MNjYN_O-2
zs5H;Ei1cyt%qh$E&NuW6$x89Bbae~~H}xoXE=IRaJKrzSBT&I3ygWkRD9<F<!>z=*
zB&a;d-K5OdEHBmB**Uc|#XBNUJKWgc*vBox#el2a$+TQQJIgZ6AU8-mv^3K&GQ`a_
zzslIF(#JB&q`WG`B+S{gz|CLZH<U|PS63k^%cm$K(KyOE$i%}mF+9b~FFB(!t;8>|
z*wMwpsHnK4$SbrYwZz%eDV<A-^JMAUCKb(|sr|g6mpn6W)ppcQn^tSHp!tcj0PCN`
hlIXM;<~Fg|gr)Y28GeRUNBOKfk{{%hZzbMx4FGYzbw2<A

diff --git a/secrets/tadpole/whib-postgres-backup-env-vars.age b/secrets/tadpole/whib-postgres-backup-env-vars.age
new file mode 100644
index 0000000..4f8228a
--- /dev/null
+++ b/secrets/tadpole/whib-postgres-backup-env-vars.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 5R7G9A U4C1QnkHs1IeuWpFmSEVdJRV6GsScLopx5Xfg2CvDG8
++uR+7D9bTTY5esUtkvFMWbT57tHjFooHPW373tb3cJI
+-> ssh-ed25519 +oNaHQ 1sprVMRMIJA8qloKB0RbKPJ9nADlk12TjiK2fmRW618
+rpnxkInsDYWZKAjyTZVsWIrNPfGl3xL5GncenDGD9kA
+--- e31LMSX9cvCMMrKfDsfTIc3qsVddBfWBIVsBq8KzGrY
+Ï{4%r¨¦À€ŸnÌ8—ù«azmÝ¥ãbšVÁ&†G&²ä“F×Ý öÆIõÛºæÂ®]ôè½Nòb tTÚ“’>‰)äÞÉ€{˜#ym-é”Ì™¸EoÕ]¡ÀJµ–¥ê¥1¸/CsûÔ°ûÆ bôKìJ&%¨&AÇääï#³%Öu/…í~$ã•hìZ>þò8Åqm® íùP›)?–¨qài:£8|´-c‘]5vFêL+¢ÝépeÞëª%%³…þ]þ=C3Ôf®3"Öã;–ðÆ4Ö¬ëPµëa¤
\ No newline at end of file
diff --git a/secrets/tadpole/whib-postgres-env-vars.age b/secrets/tadpole/whib-postgres-env-vars.age
new file mode 100644
index 0000000000000000000000000000000000000000..d6e6bc0d8e4894ee95f3104e12f9c97ed3c77b25
GIT binary patch
literal 447
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP4KjDPbX3SM@l7fA
z2{J1;&kS%3^Un7R^+@t|NjLKME{HG*Ois%+DoOVbNKDMljO22zNV2fV&4|j$%QMeN
zb&m+~wJ0x2tkO<SaVaPWPBAd5%J)l63pC3LH9@ycJKrzSBT%6%&9gu|A~Z+az1X=l
ztT5Oxx6-V_Jhdo1y)rq{%q^lK#IMXX+u2Dw*MuuH)jQN6!zD2%vE0%rB+<7j#3{I<
zG&j3E*Rdj4KgYEy-`7b$H8(4$#Dq&%S687pIZQvpJ<K&#JFu+4-_6i6H?7jtGQ`5r
z+rPxuwX`^`q|mR@RomDsIhkuu+ryrv``*cQxm2&-d2xf2Y1L$rOF1t?ZoH6|U`o2T
zJTKsK$G6|UrzdIgetx-PyI!%SSj+ON<L#Dj=h!Hx@N=wQVN-EMAZS~(Ur=q_!E+OI
z8!Z2u-)faVpBiR&{q)hOo(zM=k^&yNso4iuyW=aWf?9XnFlJzQe=)$!G0J7mbN+cN
gQ~EDWSiWH0**B89X`dgOTh=v&{S;nnsK0450OP=`vH$=8

literal 0
HcmV?d00001

diff --git a/secrets/tadpole/whib-postgres-password.age b/secrets/tadpole/whib-postgres-password.age
deleted file mode 100644
index 17cae0c..0000000
--- a/secrets/tadpole/whib-postgres-password.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 5R7G9A WqkH9G2AGAcQfa9u+w6+QVXYVlozt0JsB/icILH/Jnc
-SGhXQ33eRtVtIEKdZCmpyxNUtFgtZhGUs9QX20GbHRg
--> ssh-ed25519 +oNaHQ k66ZToSUzHxDm0yZkI4+Gase/Q5GJrsB7c6+LvmgGSg
-6x9dzdloKJT2Tcawn4m2d518KUjdINGi4u+PFvMt9tQ
---- 395jqjDR3lBIIPOUIlnOJW/048qeJPC5CJbMJdpSjTo
-þÏ›Š<uI‚X"¤^CÚj};‡é´ÃKdÌíÒÅÙ—X•—bÔ§ÆÂWü,{7u+xšL]ÿÂž
\ No newline at end of file
diff --git a/secrets/tadpole/whib-signing-key.age b/secrets/tadpole/whib-signing-key.age
deleted file mode 100644
index 0eac6f4..0000000
--- a/secrets/tadpole/whib-signing-key.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 5R7G9A ncGAywK2O0Geyy5E9HmRdDCmCD7RwmflyyBXFKH4KSc
-4Izx8nT/k5yOMOG4InifQw+wzEDe9PqMyeF3LEicOKE
--> ssh-ed25519 +oNaHQ cPf/X971sb4pNKz9t0W318EpY3XJNB/OId7nGZ/ooXc
-Vp5x6PZML0jtPEjuaDo7KjtHdKv5SyPAS2+Fvhjbro8
---- 4jGA5763tvEcNDmNnYaoCfw99xROjqpKW0dMG23BqbE
-ŠŽ¼j^tþøª£…ÖÑB%®aÉ×Å$öÖ8m}-LbMÎnè¼ÿþR÷×cZ–Áÿ=õˆ$xû«}¿Û)PHº{X”3¥á»¦¤’V±àü¶š½â£û€Õ•ª6Rs¦ùÌÿýr¡±b…nl]ƒž/ÈŽe@/‰*†¤õ:©Ú¸ãØV~¼¬V×a]`×«“¿¸=Ù¿v›z\……œX‘ËÇ-È×Ñâ‚ð•½Ž
-w^.NŒ½Ð”ñ3ÆáNéDB;cu%/Ä%qÞ–Ñw£¤ãýëª×Ò´î„iTË<û•½aôå‹‡Ëû-ÍPå¸W*¥vÎ÷|Aô0»÷ÙqXì®ìf†ª*ÓÐð‰Yœ—v9«¹
\ No newline at end of file