From b3b46e0c2fd22e67c9446722f51318902c8e38b1 Mon Sep 17 00:00:00 2001
From: Jordan Holt <jordan@vimium.com>
Date: Mon, 1 Sep 2025 23:22:58 +0100
Subject: [PATCH] vaultwarden: move envfile to agenix-rekey

---
 hosts/vps1/secrets/vaultwarden-env.age                   | 7 +++++++
 hosts/vps1/vaultwarden.nix                               | 9 +++++----
 .../7e6c3b34b489200f3767ae0f1e6a9f42-vaultwarden-env.age | 7 +++++++
 3 files changed, 19 insertions(+), 4 deletions(-)
 create mode 100644 hosts/vps1/secrets/vaultwarden-env.age
 create mode 100644 secrets/rekeyed/vps1/7e6c3b34b489200f3767ae0f1e6a9f42-vaultwarden-env.age

diff --git a/hosts/vps1/secrets/vaultwarden-env.age b/hosts/vps1/secrets/vaultwarden-env.age
new file mode 100644
index 0000000..00b059f
--- /dev/null
+++ b/hosts/vps1/secrets/vaultwarden-env.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> piv-p256 a1N2XA Ag/fE6bqn8kUPXEmxU7IcEaW4pRp8Ug5Tvj/49d3kN55
+TNVXUZ38JKTWte+31iuyGDy7P4zJkQzYb+g4QVXu1QM
+-> 0S&-grease fn plj(( ShqRnf
+qZ/b2Xf2MA
+--- 4HChQHR3R3I0DwDrx7DNmAa+gMhlzY18s3qyGndAitM
+H�h>��p�5�vybdN�X��ki]�)�!p|�8HL��OM{�����8�s��LF��jM}�:�]��Ǡk��%$���H���7R���Q�#�#�f�*\�X	F4�.}�0�����{�փpto�,��yTs�M-���X��7��H��usfa[�#�K�}���:K�0q���B(o#?eG�5
0��Ҹ��ɧ�P�_gC�F
\ No newline at end of file
diff --git a/hosts/vps1/vaultwarden.nix b/hosts/vps1/vaultwarden.nix
index 61d5129..caa4e19 100644
--- a/hosts/vps1/vaultwarden.nix
+++ b/hosts/vps1/vaultwarden.nix
@@ -1,5 +1,4 @@
 {
-  inputs,
   config,
   lib,
   ...
@@ -12,8 +11,10 @@ let
   domain = "vaultwarden.${baseDomain}";
 in
 {
-  age.secrets."files/services/vaultwarden/envfile" = {
-    file = "${inputs.secrets}/files/services/vaultwarden/envfile.age";
+  age.secrets.vaultwarden-env = {
+    rekeyFile = ./secrets/vaultwarden-env.age;
+    mode = "0440";
+    group = "vaultwarden";
   };
 
   services.vaultwarden = {
@@ -33,7 +34,7 @@ in
       invitationOrgName = "Vaultwarden";
       domain = "https://${domain}";
     };
-    environmentFile = config.age.secrets."files/services/vaultwarden/envfile".path;
+    environmentFile = config.age.secrets.vaultwarden-env.path;
   };
 
   services.nginx.virtualHosts = {
diff --git a/secrets/rekeyed/vps1/7e6c3b34b489200f3767ae0f1e6a9f42-vaultwarden-env.age b/secrets/rekeyed/vps1/7e6c3b34b489200f3767ae0f1e6a9f42-vaultwarden-env.age
new file mode 100644
index 0000000..7cd93b0
--- /dev/null
+++ b/secrets/rekeyed/vps1/7e6c3b34b489200f3767ae0f1e6a9f42-vaultwarden-env.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA goXUvK9rMf7kQ+UZ3aXjHxa5HukNU8pNafu5AbnDaT4
+7DrqHf133Y3A3NV/tjW/jMGrim02LZ79EMM2yLNEKR8
+-> }AV-grease VKakg LdQ~#
+aiiVL/zHxATk1wMQ6vFN91tz1hawMBndFzE6Vl/ck6OeL9DS0GswlylbXvuCbg
+--- FNJQXjKg1S56UIcgg5+jsRSbtXKVyHKXgtajpaqvqNs
+��i��L�����|�2\�g5�mC�= ,��;��������F��p�N��
K;=�8��Kꞛ�%����~o�L�:��R��j�����LD/vps�R���?�~�d����k���p�:n�[��
k��?��!l�b��aO��,�s�GWp�>�@�$eN�	�(c]$�ڦ��"n�4��G}r�#�K�ݷ���
��#�I�
\ No newline at end of file