tadpole/test-vm: Update WHIB service

- Update `WHIB` input
- Update secrets to reflect changes in input

flake.lock

@@ -267,11 +267,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1735900130,
-        "narHash": "sha256-bj1b9f8hmyzQH74Lg6rBhe6DXbThifGhKQKIns3GT8w=",
+        "lastModified": 1738420006,
+        "narHash": "sha256-hz/8diWmWxyq5ywodBPTAs60MzH2t8IldooYnU5weZE=",
         "ref": "master",
-        "rev": "c9b16ef5558e48703bcb85be413f0c39a896e85b",
-        "revCount": 365,
+        "rev": "f73bdd33f47da1e6db9d5ff93039450ef972857c",
+        "revCount": 367,
         "type": "git",
         "url": "ssh://gitea@git.ppp.pm:1122/alex/whib.git"
       },

hosts/tadpole/modules/whib/default.nix

@@ -1,5 +1,4 @@
 {
-  pkgs,
   lib,
   config,
   ...
@@ -26,26 +25,20 @@ in
       enable = true;
 
       backend = {
-        signingKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-signing-key.path})";
         domain = "api.whib.ppp.pm";
         useACMEHost = "api.whib.ppp.pm";
+
+        environmentFile = config.age.secrets.whib-backend-env-vars.path;
       };
 
       postgres = {
-        database = "whib";
-        host = "postgres";
-        port = "5432";
-        user = "whib";
-        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-postgres-password.path})";
+        environmentFile = config.age.secrets.whib-postgres-env-vars.path;
 
         backup = {
           interval = "*-*-* 00:00:00 UTC";
 
+          environmentFile = config.age.secrets.whib-postgres-backup-env-vars.path;
           gpgPassphraseFile = config.age.secrets.whib-gpg-key.path;
-
-          backblazeBucket = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-bucket.path})";
-          backblazeKeyID = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key-id.path})";
-          backblazeKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key.path})";
         };
       };
 
@@ -53,19 +46,19 @@ in
         domain = "grafana.whib.ppp.pm";
         useACMEHost = "grafana.whib.ppp.pm";
 
-        password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-grafana-password.path})";
+        environmentFile = config.age.secrets.whib-grafana-env-vars.path;
       };
     };
 
     age.secrets = {
-      "whib-signing-key".file = ../../../../secrets/tadpole/whib-signing-key.age;
-      "whib-postgres-password".file = ../../../../secrets/tadpole/whib-postgres-password.age;
-      "whib-grafana-password".file = ../../../../secrets/tadpole/whib-grafana-password.age;
+      "whib-backend-env-vars".file = ../../../../secrets/tadpole/whib-backend-env-vars.age;
+      "whib-postgres-env-vars".file = ../../../../secrets/tadpole/whib-postgres-env-vars.age;
 
+      "whib-postgres-backup-env-vars".file =
+        ../../../../secrets/tadpole/whib-postgres-backup-env-vars.age;
       "whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age;
-      "whib-backblaze-bucket".file = ../../../../secrets/tadpole/whib-backblaze-bucket.age;
-      "whib-backblaze-key-id".file = ../../../../secrets/tadpole/whib-backblaze-key-id.age;
-      "whib-backblaze-key".file = ../../../../secrets/tadpole/whib-backblaze-key.age;
+
+      "whib-grafana-env-vars".file = ../../../../secrets/tadpole/whib-grafana-env-vars.age;
     };
   };
 }

hosts/test-vm/whib-backend.nix

@@ -1,4 +1,5 @@
 {
+  pkgs,
   lib,
   config,
   ...
@@ -14,31 +15,65 @@ in
   };
 
   config = lib.mkIf enabled {
-    services.whib-backend = {
+    services.whib-backend =
+      let
+        backendEnvVars = pkgs.writeText "backend-env-vars" ''
+          SIGNING_KEY=signingkey
+          POSTGRES_DB=whib
+          POSTGRES_USER=whib
+          POSTGRES_PASSWORD=pgpassword
+        '';
+
+        postgresEnvVars = pkgs.writeText "postgres-env-vars" ''
+          POSTGRES_DB=whib
+          POSTGRES_USER=whib
+          POSTGRES_PASSWORD=pgpassword
+        '';
+
+        postgresBackupEnvVars = pkgs.writeText "postgres-backup-env-vars" ''
+          PGDATABASE=whib
+          PGUSER=whib
+          PGPASSWORD=pgpassword
+          B2_BUCKET=a
+          B2_APPLICATION_KEY_ID=b
+          B2_APPLICATION_KEY=c
+        '';
+
+        gpgPassphraseFile = pkgs.writeText "gpg-passphrase" ''
+          foobar
+        '';
+
+        grafanaEnvVars = pkgs.writeText "grafana-env-vars" ''
+          GF_SECURITY_ADMIN_PASSWORD=grafanapassword
+          GF_USERS_ALLOW_SIGN_UP=false
+        '';
+
+      in
+      {
         enable = true;
 
         backend = {
-        signingKey = "super-secret-key";
           domain = "whib-backend.local";
+
+          environmentFile = backendEnvVars;
         };
 
         postgres = {
-        password = "postgrespassword";
+          environmentFile = postgresEnvVars;
 
           backup = {
             interval = "*-*-* *:*:00 UTC"; # Every minute, for testing
 
-          # Set these for test runs
-          gpgPassphraseFile = "";
+            environmentFile = postgresBackupEnvVars;
+            gpgPassphraseFile = gpgPassphraseFile;
 
-          backblazeBucket = "";
-          backblazeKeyID = "";
-          backblazeKey = "";
           };
         };
 
         grafana = {
-        password = "granfanapassword";
+          domain = "grafana.local";
+
+          environmentFile = grafanaEnvVars;
         };
       };
 

secrets/secrets.nix

@@ -48,11 +48,9 @@ in {
   "tadpole/alex.tadpole-git.ppp.pm.pub.age".publicKeys = [ tadpole alex ];
   "tadpole/gitea-dbpassword.age".publicKeys = [ tadpole alex ];
 
-  "tadpole/whib-signing-key.age".publicKeys = [ tadpole alex ];
-  "tadpole/whib-postgres-password.age".publicKeys = [ tadpole alex ];
-  "tadpole/whib-grafana-password.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-backend-env-vars.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-postgres-env-vars.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-postgres-backup-env-vars.age".publicKeys = [ tadpole alex ];
   "tadpole/whib-gpg-key.age".publicKeys = [ tadpole alex ];
-  "tadpole/whib-backblaze-bucket.age".publicKeys = [ tadpole alex ];
-  "tadpole/whib-backblaze-key-id.age".publicKeys = [ tadpole alex ];
-  "tadpole/whib-backblaze-key.age".publicKeys = [ tadpole alex ];
+  "tadpole/whib-grafana-env-vars.age".publicKeys = [ tadpole alex ];
 }

secrets/tadpole/whib-backblaze-bucket.age

@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 5R7G9A V2ngjouYa4wi42HngK3TQfGRNqZ+gW4iQ01HxdnfNxo
-vvK7WyZkdH/vmeBrC8cs3neLpaZ8RryvYg61sBzf12A
--> ssh-ed25519 +oNaHQ 1pK15FPOkaejA0GfotISM2ATOcE8tsUgZOpL0PONC08
-dDjq/2ZH/FHgLCQHgRaYba/3JtOvHl4k9GgzxyQw+L4
---- yyW+//7KvwvcTHs76bPxtG9TUrFgJzp7KtqaqjP/0GY
-徐~宰}"[黯nIm<49>ｦ2ﾑﾘtﾇﾋﾀT睹xwﾒTﾈﾍﾅ5,5^涇w焔6l懆TΘ(ﾓ

secrets/tadpole/whib-backblaze-key-id.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 5R7G9A YRCagpPHZ/4X9VyWgxWbugjSdYTzSUD2ncgWunzYVFs
-7SKYPayWt4XGG5YVB3yKt+dpGKOBtJW3E/LZq3eJmGI
--> ssh-ed25519 +oNaHQ EHjg/EH4AbcqEHp27hhJqOLwa9P7sz2iavqIvkBkFQA
-T/2Po7X5FFb575QSxvvE1LqwZpFoDX/gnKLopBw/NMU
---- 2cWhyrmkeeeiYNTyhJri/UHVhLqU0fJ3Py34rzhmr7c
-clNó2ƒÊ<C692>˜“y~<7E>,lsXü¨½Ãs.«‚4Ð*!³«Ñj‡c
-]uÖÆ·ûz£g“ŠÔö;F

secrets/tadpole/whib-backblaze-key.age

@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 5R7G9A /exiuF2v+lsAUID7eT53DooUgVnQHsE0lJOPgdbLuzU
-KPZKG2vYo7hczQ9iRTubb8mBUM9F3E19+1T6GExhsJM
--> ssh-ed25519 +oNaHQ 6/BOd1ahNHbKPH6V4DwiSWQ2MFPztTAqBHTc8V1HJFw
-IF8V4HtNQqYzK58WdxYg1e2bfh9T7keV67VR/VzCUz0
---- WuqN3ez4lofmNyDaaKKXA23lFtnd+2VwuG7wT28u0xU
-СQ™ÙVd«„Èî>\™™ä

secrets/tadpole/whib-gpg-key.age

@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 5R7G9A ORTl5WSeg4vSKUAwzCp9ABRL02SvjFZrBHuWLMbSmxI
-obXt5wHXbfkdOAXwPySZeFelSFwJnCoH1EExtXNmBio
--> ssh-ed25519 +oNaHQ vxTHufUlEwbuztnIsCcprfXonpNUlv1ZcHQpEQjGtz8
-uFym0SgmM6LZRqJrSPMLHI6DLZ5t/WLvKP0dMvM8bUc
---- 7UQLcCs/G20iP2YlwjCEmpFcXgqJfQacqSVGBBPmAbY
-yµÓ†ÅÖ'”_K<07>­f‡3ŠÍ¾ÉXî€ï£_½tu[ù\¾£á—)uKÍÂ,Æ«äzqñ<71><C3B1>­å|¨1!XöYYág¿7¥¡EÚ›°^žÿ
+-> ssh-ed25519 5R7G9A Q6V8S5312DQhP0QtPbAlbn+uDER6jpi+gvn40ndmnn0
+soymoaAKbNlYicSbtHhqn54D0zVBHBuHUKngex/VgoM
+-> ssh-ed25519 +oNaHQ cpzCyu/9Jrm9Rx5C/rhuZku6uJWjrlHpCYxWOwuwQWw
+1GA8NsLeOTo/zHs/k0vt/N8hH+2MXfMNRy+qKBqi3fM
+--- 5O74sFn1xDZ53xHM7KHZ+ge7DzdnhyeB0W0znMk7NYQ
+u¡™™²wèDüms"<22>š4¸—ýÙwÞüG¼LÏur	7V`G=	‰¡ã„C¼Èn2±¯n‚§3S~go¡½¾ìõcsþ@7œƳ

secrets/tadpole/whib-postgres-backup-env-vars.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 5R7G9A 1fOxRiFn+GPoFpSPhFAg2nmZpxFmM1BZcIMWQ3jy8Wg
+udiZYe2hTJCpuo7ZVNekU1vgJShLQJV89nYAA+TbyqQ
+-> ssh-ed25519 +oNaHQ dIP4ZIk2qWb64WXo69EF8KMFNzy0yy2tcO4BPfJD32Q
+T0tvWp0P/8wbfMAjm5jdfTfibnO8gAB08qRHxacaEIo
+--- 2yCl/WI2F8pCjIKNhljhDW5v7B+SBdxjp4htPW+GPXU
+_÷î×A³Nåé-¾šºÕWï»ü™r8…+¿ôg„¢€_殢vCÁ0 ð)Ð%¯äÁ8¢~¼æ7ÂQ"ÞS\ABž÷XQáþzPNÁ€ËefQ
+Ì øˆ*¶^cÞj
qôÌ«ÞÌ0´ÔáÈ{c¸9‚•Í–ž]4PxëpQ[«¦”.Cÿiá°X¿ø/=TîêIŽ”ÎÞÒÀÀ%ÝÎ¥WöOÏÉ5ê°ÍÓ-n2™°4"l – øçËy+’=ûu_݉IO<49>'Vž	ñ9VfÕ6JÑÜ%âõ.™ÀºêäRLéɈ”ñä

secrets/tadpole/whib-postgres-password.age

@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 5R7G9A WqkH9G2AGAcQfa9u+w6+QVXYVlozt0JsB/icILH/Jnc
-SGhXQ33eRtVtIEKdZCmpyxNUtFgtZhGUs9QX20GbHRg
--> ssh-ed25519 +oNaHQ k66ZToSUzHxDm0yZkI4+Gase/Q5GJrsB7c6+LvmgGSg
-6x9dzdloKJT2Tcawn4m2d518KUjdINGi4u+PFvMt9tQ
---- 395jqjDR3lBIIPOUIlnOJW/048qeJPC5CJbMJdpSjTo
-þÏ›Š<uI‚X"¤<0C>^CÚj};‡é´ÃKdÌíÒÅÙ—X•—bÔ§ÆÂWü,{7u+xšL]ÿž

secrets/tadpole/whib-signing-key.age

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 5R7G9A ncGAywK2O0Geyy5E9HmRdDCmCD7RwmflyyBXFKH4KSc
-4Izx8nT/k5yOMOG4InifQw+wzEDe9PqMyeF3LEicOKE
--> ssh-ed25519 +oNaHQ cPf/X971sb4pNKz9t0W318EpY3XJNB/OId7nGZ/ooXc
-Vp5x6PZML0jtPEjuaDo7KjtHdKv5SyPAS2+Fvhjbro8
---- 4jGA5763tvEcNDmNnYaoCfw99xROjqpKW0dMG23BqbE
-ŠŽ¼j^tþøª£…ÖÑB%<25>®a<>É×Å$öÖ8m}-LbMÎnè¼ÿþR÷×cZ–Áÿ=õˆ$xû«}¿Û)PHº{X”3¥á<C2A5>»¦¤’V±àü¶š½â£û€Õ•ª6Rs¦ùÌÿýr¡±b…nl<6E>]ƒž/ÈŽe@/‰*†¤õ:©Ú¸ãØV~¼¬V×a]`׫
-“¿¸=Ù¿v›z\…