vaultwarden: move envfile to agenix-rekey

2025-09-01 23:22:58 +01:00
parent d43519fc29
commit b3b46e0c2f
3 changed files with 19 additions and 4 deletions
--- a/hosts/vps1/secrets/vaultwarden-env.age
+++ b/hosts/vps1/secrets/vaultwarden-env.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> piv-p256 a1N2XA Ag/fE6bqn8kUPXEmxU7IcEaW4pRp8Ug5Tvj/49d3kN55
+TNVXUZ38JKTWte+31iuyGDy7P4zJkQzYb+g4QVXu1QM
+-> 0S&-grease fn plj(( ShqRnf
+qZ/b2Xf2MA
+--- 4HChQHR3R3I0DwDrx7DNmAa+gMhlzY18s3qyGndAitM
+HØh>Àºp²5<C2B2>vybdN°Xøëki]ø)—!p|ô8HL ßOM{Çòòè—Ü8è³sÑ÷LF‹òjM}¥:ú]ÂûÇ k¹ˆ%$°¼èHÕ÷¥7RúÿŽQµ#å#ñfè*\–X	F4ö.}Ú0Â÷ôäË{åÖƒpto<>,’ŒyTsþM-‹’ÇXéÖ7‘¦HùÑusfa[›#¼Kù}¹ž<0C>:Kû0q™êê<C3AA>B(o#?eG›50ÛÒ¸ÀÆÉ§“PŸ_gC‹F
--- a/hosts/vps1/vaultwarden.nix
+++ b/hosts/vps1/vaultwarden.nix
@@ -1,5 +1,4 @@
 {
-  inputs,
  config,
  lib,
  ...
@@ -12,8 +11,10 @@ let
  domain = "vaultwarden.${baseDomain}";
 in
 {
-  age.secrets."files/services/vaultwarden/envfile" = {
-    file = "${inputs.secrets}/files/services/vaultwarden/envfile.age";
+  age.secrets.vaultwarden-env = {
+    rekeyFile = ./secrets/vaultwarden-env.age;
+    mode = "0440";
+    group = "vaultwarden";
  };

  services.vaultwarden = {
@@ -33,7 +34,7 @@ in
      invitationOrgName = "Vaultwarden";
      domain = "https://${domain}";
    };
-    environmentFile = config.age.secrets."files/services/vaultwarden/envfile".path;
+    environmentFile = config.age.secrets.vaultwarden-env.path;
  };

  services.nginx.virtualHosts = {
--- a/secrets/rekeyed/vps1/7e6c3b34b489200f3767ae0f1e6a9f42-vaultwarden-env.age
+++ b/secrets/rekeyed/vps1/7e6c3b34b489200f3767ae0f1e6a9f42-vaultwarden-env.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA goXUvK9rMf7kQ+UZ3aXjHxa5HukNU8pNafu5AbnDaT4
+7DrqHf133Y3A3NV/tjW/jMGrim02LZ79EMM2yLNEKR8
+-> }AV-grease VKakg LdQ~#
+aiiVL/zHxATk1wMQ6vFN91tz1hawMBndFzE6Vl/ck6OeL9DS0GswlylbXvuCbg
+--- FNJQXjKg1S56UIcgg5+jsRSbtXKVyHKXgtajpaqvqNs
+¹øi<><69>L§òôÜá|´2\¿g5ŒmCä= ,Âö;€Ðõ <19>’¿µFéáp‹NîÛ