diff --git a/modules/configuration.nix b/modules/configuration.nix index bf43b2e..e107093 100644 --- a/modules/configuration.nix +++ b/modules/configuration.nix @@ -301,14 +301,14 @@ in }; services.postgresql.initialScript = pkgs.writeText "begin-init.sql" '' - CREATE ROLE "ncusr" WITH LOGIN PASSWORD '${personalization.nextclouddb_pass}'; + CREATE ROLE "ncusr" WITH LOGIN PASSWORD '${age.secrets.nextclouddb.file}'; CREATE DATABASE "nextclouddb" WITH OWNER "ncusr" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '${personalization.matrix-synapsedb_pass}'; + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '${age.secrets.matrixdb.file}'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" TEMPLATE template0 LC_COLLATE = "C" @@ -319,7 +319,7 @@ in services.mysql.initialScript = pkgs.writeText "wordpress-init.sql" '' CREATE DATABASE wordpressdb; - GRANT ALL ON *.* TO 'wpusr'@'localhost' IDENTIFIED BY '${personalization.wordpressdb_pass}'; + GRANT ALL ON *.* TO 'wpusr'@'localhost' IDENTIFIED BY '${age.secrets.wordpressdb.file}'; FLUSH PRIVILEGES; '' ; diff --git a/modules/coturn.nix b/modules/coturn.nix index d6de653..9e55287 100644 --- a/modules/coturn.nix +++ b/modules/coturn.nix @@ -35,7 +35,7 @@ let services.coturn = { enable = true; use-auth-secret = true; - static-auth-secret = "${personalization.turn_shared}"; + static-auth-secret = "${age.secrets.turn.file}"; realm = personalization.matrix_url; cert = "/var/lib/coturn/${personalization.matrix_url}.crt.pem"; pkey = "/var/lib/coturn/${personalization.matrix_url}.key.pem"; diff --git a/modules/personalization.nix b/modules/personalization.nix index 3310da5..5f8dfd9 100644 --- a/modules/personalization.nix +++ b/modules/personalization.nix @@ -7,11 +7,13 @@ btcpayserver_url = builtins.readFile /var/lib/domains/btcpayserver; caddy_email_for_zerossl = builtins.readFile /var/lib/domains/sslemail; vaultwarden_url = builtins.readFile /var/lib/domains/vaultwarden; -wordpressdb_pass = builtins.readFile /var/lib/secrets/wordpressdb; -matrix-synapsedb_pass = builtins.readFile /var/lib/secrets/matrixdb; -nextclouddb_pass = builtins.readFile /var/lib/secrets/nextclouddb; -turn_shared = builtins.readFile /var/lib/secrets/turn; -matrix_reg_secret = builtins.readFile /var/lib/secrets/matrix_reg_secret; + +age.secrets.turn.file = /var/lib/agenix-secrets/turn.age; +age.secrets.matrix_reg_secret.file = /var/lib/agenix-secrets/matrix_reg_secret.age; +age.secrets.matrixdb.file = /var/lib/agenix-secrets/matrixdb.age; +age.secrets.nextclouddb.file = /var/lib/agenix-secrets/nextclouddb.age; +age.secrets.wordpressdb.file = /var/lib/agenix-secrets/wordpressdb.age; + external_ip_secret = builtins.readFile /var/lib/secrets/external_ip; } diff --git a/modules/synapse.nix b/modules/synapse.nix index 76839ae..9bcb20c 100644 --- a/modules/synapse.nix +++ b/modules/synapse.nix @@ -43,7 +43,7 @@ in "ff00::/8" ]; url_preview_ip_ranger_whitelist = [ "127.0.0.1" ]; - turn_shared_secret = "${personalization.turn_shared}"; + turn_shared_secret = "${age.secrets.turn.file}"; turn_uris = [ "turn:${personalization.matrix_url}:5349?transport=udp" "turn:${personalization.matrix_url}:5349?transport=tcp" @@ -52,7 +52,7 @@ in ]; presence.enabled = true; enable_registration = false; - registration_shared_secret = "${personalization.matrix_reg_secret}"; + registration_shared_secret = "${age.secrets.matrix_reg_secret.file}"; listeners = [ { port = 8008;