{ config, lib, pkgs, inputs, ... }: { imports = [ inputs.agenix.nixosModules.default ]; # Configure all agenix secrets age.secrets = { # ZFS encryption key # path is set to /etc/zfs-key to match the ZFS dataset keylocation property zfs-key = { file = ../secrets/server/zfs-key.age; mode = "0400"; owner = "root"; group = "root"; path = "/etc/zfs-key"; }; # Secureboot keys archive secureboot-tar = { file = ../secrets/server/secureboot.tar.age; mode = "0400"; owner = "root"; group = "root"; }; # System passwords hashedPass = { file = ../secrets/server/hashedPass.age; mode = "0400"; owner = "root"; group = "root"; }; # Service authentication caddy_auth = { file = ../secrets/server/caddy_auth.age; mode = "0400"; owner = "caddy"; group = "caddy"; }; # Njalla API token (NJALLA_API_TOKEN=...) for Caddy DNS-01 challenge njalla-api-token-env = { file = ../secrets/server/njalla-api-token-env.age; mode = "0400"; owner = "caddy"; group = "caddy"; }; # ddns-updater config.json with Njalla provider credentials ddns-updater-config = { file = ../secrets/server/ddns-updater-config.age; mode = "0400"; owner = "ddns-updater"; group = "ddns-updater"; }; jellyfin-api-key = { file = ../secrets/server/jellyfin-api-key.age; mode = "0400"; owner = "root"; group = "root"; }; slskd_env = { file = ../secrets/server/slskd_env.age; mode = "0500"; owner = config.services.slskd.user; group = config.services.slskd.group; }; # Network configuration wg0-conf = { file = ../secrets/server/wg0.conf.age; mode = "0400"; owner = "root"; group = "root"; }; # ntfy-alerts secrets (group-readable for CI runner notifications) ntfy-alerts-topic = { file = ../secrets/server/ntfy-alerts-topic.age; mode = "0440"; owner = "root"; group = "gitea-runner"; }; ntfy-alerts-token = { file = ../secrets/server/ntfy-alerts-token.age; mode = "0440"; owner = "root"; group = "gitea-runner"; }; # Firefox Sync server secrets (SYNC_MASTER_SECRET) firefox-syncserver-env = { file = ../secrets/server/firefox-syncserver-env.age; mode = "0400"; }; # MollySocket env (MOLLY_VAPID_PRIVKEY + MOLLY_ALLOWED_UUIDS) mollysocket-env = { file = ../secrets/server/mollysocket-env.age; mode = "0400"; }; # Murmur (Mumble) server password murmur-password-env = { file = ../secrets/server/murmur-password-env.age; mode = "0400"; owner = "murmur"; group = "murmur"; }; # Coturn static auth secret coturn-auth-secret = { file = ../secrets/server/coturn-auth-secret.age; mode = "0400"; owner = "turnserver"; group = "turnserver"; }; # Matrix (continuwuity) registration token matrix-reg-token = { file = ../secrets/server/matrix-reg-token.age; mode = "0400"; owner = "continuwuity"; group = "continuwuity"; }; # Matrix (continuwuity) TURN secret — same secret as coturn-auth-secret, # decrypted separately so continuwuity can read it with its own ownership matrix-turn-secret = { file = ../secrets/server/coturn-auth-secret.age; mode = "0400"; owner = "continuwuity"; group = "continuwuity"; }; # CI deploy SSH key ci-deploy-key = { file = ../secrets/server/ci-deploy-key.age; mode = "0400"; owner = "gitea-runner"; group = "gitea-runner"; }; # Git-crypt symmetric key for the unified nixos repo. git-crypt-key-nixos = { file = ../secrets/server/git-crypt-key-nixos.age; mode = "0400"; owner = "gitea-runner"; group = "gitea-runner"; }; # Gitea Actions runner registration token gitea-runner-token = { file = ../secrets/server/gitea-runner-token.age; mode = "0400"; owner = "gitea-runner"; group = "gitea-runner"; }; # llama-cpp API key for bearer token auth llama-cpp-api-key = { file = ../secrets/server/llama-cpp-api-key.age; mode = "0400"; owner = "root"; group = "root"; }; # Harmonia binary cache signing key harmonia-sign-key = { file = ../secrets/server/harmonia-sign-key.age; mode = "0400"; owner = "harmonia"; group = "harmonia"; }; # Caddy basic auth for nix binary cache (separate from main caddy_auth) nix-cache-auth = { file = ../secrets/server/nix-cache-auth.age; mode = "0400"; owner = "caddy"; group = "caddy"; }; }; }