From e4feaa35adc77d913053b737f57a57d047cfe5e3 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Mon, 30 Mar 2026 17:14:47 -0400
Subject: [PATCH] secrets: migrate build-time secrets to agenix runtime

- coturn: switch static-auth-secret to static-auth-secret-file
- matrix: switch registration_token and turn_secret to file-based
- murmur: switch password to environmentFile with agenix
- p2pool: move public wallet address to service-configs.nix
---
 configuration.nix               |   3 ++-
 modules/age-secrets.nix         |  34 ++++++++++++++++++++++++++++++++
 secrets/coturn-auth-secret.age  | Bin 0 -> 286 bytes
 secrets/matrix-reg-token.age    | Bin 0 -> 286 bytes
 secrets/murmur-password-env.age | Bin 0 -> 255 bytes
 service-configs.nix             |   1 +
 services/coturn.nix             |   2 +-
 services/matrix.nix             |   4 ++--
 services/p2pool.nix             |   5 +----
 9 files changed, 41 insertions(+), 8 deletions(-)
 create mode 100644 secrets/coturn-auth-secret.age
 create mode 100644 secrets/matrix-reg-token.age
 create mode 100644 secrets/murmur-password-env.age

diff --git a/configuration.nix b/configuration.nix
index a72df29..9af329f 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -290,7 +290,8 @@
     enable = true;
     openFirewall = true;
     welcometext = "meow meow meow meow meow :3 xd";
-    password = builtins.readFile ./secrets/murmur_password;
+    password = "$MURMURD_PASSWORD";
+    environmentFile = config.age.secrets.murmur-password-env.path;
     port = service_configs.ports.public.murmur.port;
   };
 
diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix
index c380aba..81cb4be 100644
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -94,5 +94,39 @@
       file = ../secrets/mollysocket-env.age;
       mode = "0400";
     };
+
+    # Murmur (Mumble) server password
+    murmur-password-env = {
+      file = ../secrets/murmur-password-env.age;
+      mode = "0400";
+      owner = "murmur";
+      group = "murmur";
+    };
+
+    # Coturn static auth secret
+    coturn-auth-secret = {
+      file = ../secrets/coturn-auth-secret.age;
+      mode = "0400";
+      owner = "turnserver";
+      group = "turnserver";
+    };
+
+    # Matrix (continuwuity) registration token
+    matrix-reg-token = {
+      file = ../secrets/matrix-reg-token.age;
+      mode = "0400";
+      owner = "continuwuity";
+      group = "continuwuity";
+    };
+
+    # Matrix (continuwuity) TURN secret — same secret as coturn-auth-secret,
+    # decrypted separately so continuwuity can read it with its own ownership
+    matrix-turn-secret = {
+      file = ../secrets/coturn-auth-secret.age;
+      mode = "0400";
+      owner = "continuwuity";
+      group = "continuwuity";
+    };
+
   };
 }
diff --git a/secrets/coturn-auth-secret.age b/secrets/coturn-auth-secret.age
new file mode 100644
index 0000000000000000000000000000000000000000..d70dd043f1b21fae969159e7c60a47b7318b0147
GIT binary patch
literal 286
zcmZQ@_Y83kiVO&0xI5oQ>6z@D`1@>GiFcX!ZydSasrTyW@(<D_Q6Ks@wDd`M|5viO
zsP@2z(>w9P4xV32Sk5O`Fa&-N&Ptzb|54@3jR|4%m0528W<J8dJ@UEvXWLUP8<sf-
z80Nm6+wfztI-gd}(%G*|zdBY|bvB;LV{Z--Zhkx0aqhWY&llUOXKk(ExzetzIj2*_
zeP&>t=C+<{*&PxO)~xM$f6ePw|KvA;dB<K=*INH}u|L>-#i`&+bsB@T^1+bAM|}Cq
zBR{>lXsG)CW^2EK!ZwZ$I|e;xy_1t~SbvfF^`qM5mz+W370)J*8nbZc{F;3%c8*(e
vXIaXpU#j8xeem>whqsHCT}jPe%-#5z>EH>e8Rb&zJ#u0iqoRKEo!SckVpEI2

literal 0
HcmV?d00001

diff --git a/secrets/matrix-reg-token.age b/secrets/matrix-reg-token.age
new file mode 100644
index 0000000000000000000000000000000000000000..e5a73988daae62b7a2bd5084d60fc6cdf5270f5a
GIT binary patch
literal 286
zcmZQ@_Y83kiVO&0U@FKK*HmKKwCUX6>dfg&*?OjPdAiP!J(l?EoL%CBy^k5T2mIGO
z5qaZY?8ElQA??eX@6EY=WAE<^$9nVM)wxw%J%8-Rk$LYAH<eCe_~}s1V10O9fb`=3
z1!s?`+lnpIGjlX~v|Y4l$M5%N1dF}=0)$y|D*o*?W8;l6=1~yalqZlNv)QfkTjYdY
zJ7%Z7G|)fw#Xmpq@cXF-O8fuG@4R?8c$$V;|7yl>)7SK*Z?fBRPyJG}N8{qd6Z`ay
zTUCl@PCaXN`o%^0$BUbjFV~!RsSRO1@kDLM{Jl$#+`4muZ-aPQ`pKSSRyBvFuJf49
xT`BNNKU{l4cCy#0slK)x%X?3A<X_yRkrEqt&S~MUKaY2{<;m#$-MvP$7yyizkGTK<

literal 0
HcmV?d00001

diff --git a/secrets/murmur-password-env.age b/secrets/murmur-password-env.age
new file mode 100644
index 0000000000000000000000000000000000000000..615f9122ac6474c1b004ff9b11666b47c7aa2b22
GIT binary patch
literal 255
zcmZQ@_Y83kiVO&0Fi-Evj#iw0zS;cz`}KM6l$T}cmgmS;yGh1)*H+X%>{j_M<TPWd
z_~%{5`8!3}c&&cw6(!o(tj}LLjo~4qw_Se5J_#M$g5Os+9e)`uvin})<7GeDZ0}m}
zKYrrszjd;0h@0STC7&s8j!MV<e%LI$Q|$-S{vyk@uHkVvZXXnndVW}8V$m1dJ>f<L
zO9W0`Ub7`(*OH*1V_CsAMh>Q`XQeKmQWcYt@IPa`sqEY&YZs03h)GtCSq@$@^={{@
z7BmOgnBNx)KfNSlbNM$mJzM6Fg3_LKavQc6R)<gB8LE@h8F2Gt-{tvkExZ97Epjf?
NwOY>bhb^rP005IxaU=i$

literal 0
HcmV?d00001

diff --git a/service-configs.nix b/service-configs.nix
index b6d0502..a79a16c 100644
--- a/service-configs.nix
+++ b/service-configs.nix
@@ -212,6 +212,7 @@ rec {
 
   p2pool = {
     dataDir = services_dir + "/p2pool";
+    walletAddress = "49b6NT2k7fQHs8JvF7naUvchYwTQmRpoMMXb1KJTg5UcZVmyPJ7n6jgiH8DrvEsMg5GvMjJqPB1c1PTBAYtUTsbeHe5YMBx";
   };
 
   matrix = {
diff --git a/services/coturn.nix b/services/coturn.nix
index 9f11ff7..4dfd8d3 100644
--- a/services/coturn.nix
+++ b/services/coturn.nix
@@ -9,7 +9,7 @@
     enable = true;
     realm = service_configs.https.domain;
     use-auth-secret = true;
-    static-auth-secret = lib.strings.trim (builtins.readFile ../secrets/coturn_static_auth_secret);
+    static-auth-secret-file = config.age.secrets.coturn-auth-secret.path;
     listening-port = service_configs.ports.public.coturn.port;
     tls-listening-port = service_configs.ports.public.coturn_tls.port;
     no-cli = true;
diff --git a/services/matrix.nix b/services/matrix.nix
index 3aaee5b..c8952d8 100644
--- a/services/matrix.nix
+++ b/services/matrix.nix
@@ -21,7 +21,7 @@
       port = [ service_configs.ports.private.matrix.port ];
       server_name = service_configs.https.domain;
       allow_registration = true;
-      registration_token = lib.strings.trim (builtins.readFile ../secrets/matrix_reg_token);
+      registration_token_file = config.age.secrets.matrix-reg-token.path;
 
       new_user_displayname_suffix = "";
 
@@ -37,7 +37,7 @@
       ];
 
       # TURN server config (coturn)
-      turn_secret = config.services.coturn.static-auth-secret;
+      turn_secret_file = config.age.secrets.matrix-turn-secret.path;
       turn_uris = [
         "turn:${service_configs.https.domain}?transport=udp"
         "turn:${service_configs.https.domain}?transport=tcp"
diff --git a/services/p2pool.nix b/services/p2pool.nix
index 99101ab..4550451 100644
--- a/services/p2pool.nix
+++ b/services/p2pool.nix
@@ -4,9 +4,6 @@
   lib,
   ...
 }:
-let
-  walletAddress = lib.strings.trim (builtins.readFile ../secrets/xmrig-wallet);
-in
 {
   imports = [
     (lib.serviceMountWithZpool "p2pool" service_configs.zpool_ssds [
@@ -20,7 +17,7 @@ in
   services.p2pool = {
     enable = true;
     dataDir = service_configs.p2pool.dataDir;
-    walletAddress = walletAddress;
+    walletAddress = service_configs.p2pool.walletAddress;
     sidechain = "nano";
     host = "127.0.0.1";
     rpcPort = service_configs.ports.public.monero_rpc.port;