secrets: migrate build-time secrets to agenix runtime

- coturn: switch static-auth-secret to static-auth-secret-file
- matrix: switch registration_token and turn_secret to file-based
- murmur: switch password to environmentFile with agenix
- p2pool: move public wallet address to service-configs.nix

configuration.nix

@@ -290,7 +290,8 @@
     enable = true;
     openFirewall = true;
     welcometext = "meow meow meow meow meow :3 xd";
-    password = builtins.readFile ./secrets/murmur_password;
+    password = "$MURMURD_PASSWORD";
+    environmentFile = config.age.secrets.murmur-password-env.path;
     port = service_configs.ports.public.murmur.port;
   };
 

modules/age-secrets.nix

@@ -94,5 +94,39 @@
       file = ../secrets/mollysocket-env.age;
       mode = "0400";
     };
+
+    # Murmur (Mumble) server password
+    murmur-password-env = {
+      file = ../secrets/murmur-password-env.age;
+      mode = "0400";
+      owner = "murmur";
+      group = "murmur";
+    };
+
+    # Coturn static auth secret
+    coturn-auth-secret = {
+      file = ../secrets/coturn-auth-secret.age;
+      mode = "0400";
+      owner = "turnserver";
+      group = "turnserver";
+    };
+
+    # Matrix (continuwuity) registration token
+    matrix-reg-token = {
+      file = ../secrets/matrix-reg-token.age;
+      mode = "0400";
+      owner = "continuwuity";
+      group = "continuwuity";
+    };
+
+    # Matrix (continuwuity) TURN secret — same secret as coturn-auth-secret,
+    # decrypted separately so continuwuity can read it with its own ownership
+    matrix-turn-secret = {
+      file = ../secrets/coturn-auth-secret.age;
+      mode = "0400";
+      owner = "continuwuity";
+      group = "continuwuity";
+    };
+
   };
 }

service-configs.nix

@@ -212,6 +212,7 @@ rec {
 
   p2pool = {
     dataDir = services_dir + "/p2pool";
+    walletAddress = "49b6NT2k7fQHs8JvF7naUvchYwTQmRpoMMXb1KJTg5UcZVmyPJ7n6jgiH8DrvEsMg5GvMjJqPB1c1PTBAYtUTsbeHe5YMBx";
   };
 
   matrix = {

services/coturn.nix

@@ -9,7 +9,7 @@
     enable = true;
     realm = service_configs.https.domain;
     use-auth-secret = true;
-    static-auth-secret = lib.strings.trim (builtins.readFile ../secrets/coturn_static_auth_secret);
+    static-auth-secret-file = config.age.secrets.coturn-auth-secret.path;
     listening-port = service_configs.ports.public.coturn.port;
     tls-listening-port = service_configs.ports.public.coturn_tls.port;
     no-cli = true;

services/matrix.nix

@@ -21,7 +21,7 @@
       port = [ service_configs.ports.private.matrix.port ];
       server_name = service_configs.https.domain;
       allow_registration = true;
-      registration_token = lib.strings.trim (builtins.readFile ../secrets/matrix_reg_token);
+      registration_token_file = config.age.secrets.matrix-reg-token.path;
 
       new_user_displayname_suffix = "";
 
@@ -37,7 +37,7 @@
       ];
 
       # TURN server config (coturn)
-      turn_secret = config.services.coturn.static-auth-secret;
+      turn_secret_file = config.age.secrets.matrix-turn-secret.path;
       turn_uris = [
         "turn:${service_configs.https.domain}?transport=udp"
         "turn:${service_configs.https.domain}?transport=tcp"

services/p2pool.nix

@@ -4,9 +4,6 @@
   lib,
   ...
 }:
-let
-  walletAddress = lib.strings.trim (builtins.readFile ../secrets/xmrig-wallet);
-in
 {
   imports = [
     (lib.serviceMountWithZpool "p2pool" service_configs.zpool_ssds [
@@ -20,7 +17,7 @@ in
   services.p2pool = {
     enable = true;
     dataDir = service_configs.p2pool.dataDir;
-    walletAddress = walletAddress;
+    walletAddress = service_configs.p2pool.walletAddress;
     sidechain = "nano";
     host = "127.0.0.1";
     rpcPort = service_configs.ports.public.monero_rpc.port;