14 files changed, 92 insertions, 27 deletions
diff --git a/modules/default.nix b/modules/default.nix
index 54aa833..0885f69 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,7 +1,7 @@
 { lib, ... }:
 
 {
-  imports = [ ./hardware ./system ./services ./home ./programs ];
+  imports = [ ./hardware ./system ./services ./home ./programs ./secrets ];
 
   options.my = with lib; {
     user = {
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
new file mode 100644
index 0000000..e6f3a7b
--- /dev/null
+++ b/modules/secrets/default.nix
@@ -0,0 +1,24 @@
+{ config, inputs, lib, options, ... }:
+
+{
+  imports = [ inputs.agenix.nixosModules.age ];
+
+  config.age = {
+    secrets = let
+      toName = lib.removeSuffix ".age";
+      userExists = u: builtins.hasAttr u config.users.users;
+      # Only set the user if it exists, to avoid warnings
+      userIfExists = u: if userExists u then u else "root";
+      toSecret = name:
+        { owner ? "root", ... }: {
+          file = ./. + "/${name}";
+          owner = lib.mkDefault (userIfExists owner);
+        };
+      convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
+      secrets = import ./secrets.nix;
+    in lib.mapAttrs' convertSecrets secrets;
+
+    identityPaths = options.age.identityPaths.default
+      ++ [ "/home/fcuny/.ssh/id_ed25519" ];
+  };
+}
diff --git a/modules/secrets/network/aptos/wireguard_privatekey.age b/modules/secrets/network/aptos/wireguard_privatekey.age
new file mode 100644
index 0000000..2f6edf3
--- /dev/null
+++ b/modules/secrets/network/aptos/wireguard_privatekey.age
Binary files differdiff --git a/modules/secrets/network/tahoe/wireguard_privatekey.age b/modules/secrets/network/tahoe/wireguard_privatekey.age
new file mode 100644
index 0000000..4304cfe
--- /dev/null
+++ b/modules/secrets/network/tahoe/wireguard_privatekey.age
Binary files differdiff --git a/modules/secrets/rclone/config.ini.age b/modules/secrets/rclone/config.ini.age
new file mode 100644
index 0000000..a017b29
--- /dev/null
+++ b/modules/secrets/rclone/config.ini.age
Binary files differdiff --git a/modules/secrets/rclone/gcs_service_account.json.age b/modules/secrets/rclone/gcs_service_account.json.age
new file mode 100644
index 0000000..982dd30
--- /dev/null
+++ b/modules/secrets/rclone/gcs_service_account.json.age
Binary files differdiff --git a/modules/secrets/restic/repo-systems.age b/modules/secrets/restic/repo-systems.age
new file mode 100644
index 0000000..79363e6
--- /dev/null
+++ b/modules/secrets/restic/repo-systems.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 wtownA Rv+TIuyxDf6bsdVH4W1inxwvbTNPAoIfBGDLQvyhaV0
+qZ6JAZq5P0WGdCLJ5scQl+mlOJ3fwkwMtlEEB1wIMlc
+-> ssh-ed25519 +LF+iw TqTfv9yx+6yOExJ151o03d0VsWQ8jm5KQW1XmmYoqlY
+AeXv4e1APSIgoPR7Ty0ysrC/fowp7ACA6+nKqsrFFks
+-> ssh-ed25519 dtgBNg giDZ+PMXQd98UsIrGM4bqSOBWEK071PuVcd326imbB8
+AplnAox8y+b34fC0vlshoh6KCfhJP9LPGyfF4o2cUCo
+-> 6o>-grease )}i\s<hC Qhde N p4=H
+kTdnW/JPzgMexPznHQWhH0hXgwgxCxJCTePD1HYTEeebXic3FL0/CNJ2sjcrl/y+
+5XdlBPc
+--- fn55JPZabkZRlf7DsIw7O46mis6C6fIqx5KEpTyXwak
+½ïç‘H7'ß\„®Ì¹ý€Œ”_¨ÆO÷ð˜Ø™˜ÀY©¥[&Ûàš ì•n.LÚT{ö¿"
\ No newline at end of file
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
new file mode 100644
index 0000000..45b1d33
--- /dev/null
+++ b/modules/secrets/secrets.nix
@@ -0,0 +1,27 @@
+let
+  fcuny_aptos =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdlm/qoR/dnMjZhVSTtqFzkgN3Yf9eQ3pgKMiipg+dl";
+  users = [ fcuny_aptos ];
+
+  aptos =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTcPGaiL+/Mwl8JzLHrBwas7QvWPjix4lnaAA1tw+5t";
+  tahoe =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEq1IQRvj2jofCHOO6M28w2SRdgtHU06NJvwAwv/b69F";
+
+  systems = [ aptos tahoe ];
+in {
+  "network/aptos/wireguard_privatekey.age".publicKeys = [ fcuny_aptos aptos ];
+
+  "network/tahoe/wireguard_privatekey.age".publicKeys =
+    [ fcuny_aptos aptos tahoe ];
+
+  "traefik/gcp_service_account.json.age".publicKeys =
+    [ fcuny_aptos aptos tahoe ];
+
+  "unifi/unifi-poller.age".publicKeys = [ fcuny_aptos aptos tahoe ];
+
+  "restic/repo-systems.age".publicKeys = [ fcuny_aptos aptos tahoe ];
+  "rclone/config.ini.age".publicKeys = [ fcuny_aptos aptos tahoe ];
+  "rclone/gcs_service_account.json.age".publicKeys =
+    [ fcuny_aptos aptos tahoe ];
+}
diff --git a/modules/secrets/traefik/gcp_service_account.json.age b/modules/secrets/traefik/gcp_service_account.json.age
new file mode 100644
index 0000000..0f99905
--- /dev/null
+++ b/modules/secrets/traefik/gcp_service_account.json.age
Binary files differdiff --git a/modules/secrets/unifi/unifi-poller.age b/modules/secrets/unifi/unifi-poller.age
new file mode 100644
index 0000000..bd71926
--- /dev/null
+++ b/modules/secrets/unifi/unifi-poller.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 wtownA 0VcUc7jKvTUSaSN8mj5DavrRh5OOu9tmlESZTZM1vy0
+YLbthCfZpcqKlUj0SKEvaczL1bWepXo6pTpurP4pyRU
+-> ssh-ed25519 +LF+iw L+QyJtlQS7KGsWafQRTSfWbX13pb8Vl0skQsX+yVNjo
+7hhNe1E3ctyLCfYjSHH9RuB220x368Ut312Ql+0E8MM
+-> ssh-ed25519 dtgBNg h0M/tnUsWja+Y+06eBnKJYcLBX5RSRn19B+idfnTtGs
+To6JQ/h7ag1H+xLkC4/tWnWGf0cjvq6NGBPqNeqExAU
+-> #qx-grease ie.h
+gEn12esIeUQ7g/SwgEiw3TH1Mqd3IZ/iyn+OJt16UIIUCi3ox7MgDLyS8ngicmOj
+idBj8DS72toie9iG5rt9IDzV
+--- 9jnTt5KR/MIJfT9s6gLP4cgqFZD2W0UQf4FF8HOBPX4
+ìn,ù0c·‚‘C]ç¾KfNYpÀ¨Rùn±uI÷j
+_{/kë™£
\ No newline at end of file
diff --git a/modules/services/backup/default.nix b/modules/services/backup/default.nix
index 52378d3..f74b5f9 100644
--- a/modules/services/backup/default.nix
+++ b/modules/services/backup/default.nix
@@ -11,7 +11,7 @@ in {
     };
 
     passwordFile = mkOption {
-      type = types.str;
+      type = types.path;
       example = "/var/lib/restic/password.txt";
       description = "Read the repository's password from this path";
     };
@@ -70,11 +70,10 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    services.restic.backups = {
+    services.restic.backups.system = {
       # Take care of included and excluded files
       paths = cfg.paths;
-      extraBackupArgs = [ "--verbose=2" ]
-        ++ lib.optional (builtins.length cfg.exclude != 0) excludeArg;
+      extraBackupArgs = [ "--verbose=2" ];
       # Take care of creating the repository if it doesn't exist
       initialize = true;
       inherit (cfg) passwordFile pruneOpts timerConfig repository;
diff --git a/modules/services/rclone/default.nix b/modules/services/rclone/default.nix
index 1ccf5df..1d32aac 100644
--- a/modules/services/rclone/default.nix
+++ b/modules/services/rclone/default.nix
@@ -1,16 +1,13 @@
 { config, pkgs, lib, ... }:
-let cfg = config.my.services.rclone;
+let
+  cfg = config.my.services.rclone;
+  secrets = config.age.secrets;
 in {
   options.my.services.rclone = with lib; {
     enable = mkEnableOption "rclone backup service";
   };
 
   config = lib.mkIf cfg.enable {
-    age.secrets.rclone-gcs-sa.file =
-      ../../../secrets/rclone/gcs_service_account.json.age;
-
-    age.secrets.rclone-config.file = ../../../secrets/rclone/config.ini.age;
-
     systemd = {
       packages = [ pkgs.rclone ];
       timers.rclone-sync = {
@@ -22,8 +19,11 @@ in {
       services.rclone-sync = {
         description = "synchronize restic repository to GCS";
         serviceConfig = let
-          rcloneOptions =
-            "--config=${config.age.secrets.rclone-config.path} --gcs-service-account-file=${config.age.secrets.rclone-gcs-sa.path} --fast-list --verbose";
+          rcloneOptions = "--config=${
+              secrets."rclone/gcs_service_account.json".path
+            } --gcs-service-account-file=${
+              secrets."rclone/config.ini".path
+            } --fast-list --verbose";
         in {
           Type = "oneshot";
           ExecStart = [
diff --git a/modules/services/traefik/default.nix b/modules/services/traefik/default.nix
index d6a8c8c..a5cff3d 100644
--- a/modules/services/traefik/default.nix
+++ b/modules/services/traefik/default.nix
@@ -4,6 +4,7 @@ with lib;
 
 let
   cfg = config.my.services.traefik;
+  secrets = config.age.secrets;
   domainPublic = "fcuny.net";
   domainPrivate = "fcuny.xyz";
   mkServiceConfig = name: url: domain: certResolver: {
@@ -22,11 +23,6 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    age.secrets.traefik_gcp_sa = {
-      file = ../../../secrets/traefik/gcp_service_account.json.age;
-      owner = "traefik";
-    };
-
     services.traefik = {
       enable = true;
 
@@ -94,7 +90,7 @@ in {
     ];
 
     systemd.services.traefik.environment.GCE_SERVICE_ACCOUNT_FILE =
-      config.age.secrets.traefik_gcp_sa.path;
+      secrets."traefik/gcp_service_account.json".path;
     systemd.services.traefik.environment.GCE_PROJECT = "fcuny-homelab";
 
     networking.firewall.allowedTCPPorts = [ 80 443 ];
diff --git a/modules/services/unifi/default.nix b/modules/services/unifi/default.nix
index c36860a..ee5ec6d 100644
--- a/modules/services/unifi/default.nix
+++ b/modules/services/unifi/default.nix
@@ -2,6 +2,7 @@
 
 let
   cfg = config.my.services.unifi;
+  secrets = config.age.secrets;
   allowedRules = {
     # https://help.ubnt.com/hc/en-us/articles/218506997
     allowedTCPPorts = [
@@ -33,20 +34,13 @@ in {
       unifiPackage = pkgs.unifiStable;
     };
 
-    age.secrets.unifi-read-only = {
-      file = ../../../secrets/unifi/unifi-poller.age;
-      mode = "0400";
-      owner = "unifi-poller";
-    };
-
     services.unifi-poller = {
       enable = true;
 
       unifi.defaults = {
         url = "https://127.0.0.1:8443";
         user = "unifipoller";
-        pass = config.age.secrets.unifi-read-only.path;
-
+        pass = secrets."unifi/unifi-poller".path;
         verify_ssl = false;
       };