vaultwarden: move envfile to agenix-rekey

hosts/vps1/secrets/vaultwarden-env.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> piv-p256 a1N2XA Ag/fE6bqn8kUPXEmxU7IcEaW4pRp8Ug5Tvj/49d3kN55
+TNVXUZ38JKTWte+31iuyGDy7P4zJkQzYb+g4QVXu1QM
+-> 0S&-grease fn plj(( ShqRnf
+qZ/b2Xf2MA
+--- 4HChQHR3R3I0DwDrx7DNmAa+gMhlzY18s3qyGndAitM
+HØh>Àºp²5<C2B2>vybdN°Xøëki]ø)—!p|ô8HL ßOM{Çòòè—Ü8è³sÑ÷LF‹òjM}¥:ú]ÂûÇ k¹ˆ%$°¼èHÕ÷¥7RúÿŽQµ#å#ñfè*\–X	F4ö.}Ú0Â÷ôäË{åÖƒpto<>,’ŒyTsþM-‹’ÇXéÖ7‘¦HùÑusfa[›#¼Kù}¹ž<0C>:Kû0q™êê<C3AA>B(o#?eG›5
0­ÛÒ¸ÀÆɧ“PŸ_gC‹F

hosts/vps1/vaultwarden.nix

@@ -1,5 +1,4 @@
 {
-  inputs,
   config,
   lib,
   ...
@@ -12,8 +11,10 @@ let
   domain = "vaultwarden.${baseDomain}";
 in
 {
-  age.secrets."files/services/vaultwarden/envfile" = {
+  age.secrets.vaultwarden-env = {
-    file = "${inputs.secrets}/files/services/vaultwarden/envfile.age";
+    rekeyFile = ./secrets/vaultwarden-env.age;
+    mode = "0440";
+    group = "vaultwarden";
   };
 
   services.vaultwarden = {
@@ -33,7 +34,7 @@ in
       invitationOrgName = "Vaultwarden";
       domain = "https://${domain}";
     };
-    environmentFile = config.age.secrets."files/services/vaultwarden/envfile".path;
+    environmentFile = config.age.secrets.vaultwarden-env.path;
   };
 
   services.nginx.virtualHosts = {

secrets/rekeyed/vps1/7e6c3b34b489200f3767ae0f1e6a9f42-vaultwarden-env.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 lOyIlA goXUvK9rMf7kQ+UZ3aXjHxa5HukNU8pNafu5AbnDaT4
+7DrqHf133Y3A3NV/tjW/jMGrim02LZ79EMM2yLNEKR8
+-> }AV-grease VKakg LdQ~#
+aiiVL/zHxATk1wMQ6vFN91tz1hawMBndFzE6Vl/ck6OeL9DS0GswlylbXvuCbg
+--- FNJQXjKg1S56UIcgg5+jsRSbtXKVyHKXgtajpaqvqNs
+¹øi<><69>L§òôÜá|´2\¿g5ŒmCä= ,Âö;€Ðõ <19>’¿µFéáp‹NîÛ