claude'd better security things

services/bitmagnet.nix

@@ -25,7 +25,7 @@
   };
 
   services.caddy.virtualHosts."bitmagnet.${service_configs.https.domain}".extraConfig = ''
-    ${builtins.readFile ../secrets/caddy_auth}
+    import ${config.age.secrets.caddy_auth.path}
     reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString service_configs.ports.bitmagnet}
   '';
 }

services/caddy.nix

@@ -66,6 +66,12 @@ in
     };
   };
 
+  # Add agenix dependency for caddy service
+  systemd.services.caddy = {
+    after = [ "agenix.service" ];
+    requires = [ "agenix.service" ];
+  };
+
   systemd.tmpfiles.rules = [
     "d ${config.services.caddy.dataDir} 700 ${config.services.caddy.user} ${config.services.caddy.group}"
   ];

services/llama-cpp.nix

@@ -37,7 +37,7 @@
   systemd.services.llama-cpp.serviceConfig.DynamicUser = lib.mkForce false;
 
   services.caddy.virtualHosts."llm.${service_configs.https.domain}".extraConfig = ''
-    ${builtins.readFile ../secrets/caddy_auth}
+    import ${config.age.secrets.caddy_auth.path}
     reverse_proxy :${builtins.toString config.services.llama-cpp.port}
   '';
 }

services/matrix.nix

@@ -1,65 +0,0 @@
-{
-  pkgs,
-  config,
-  service_configs,
-  lib,
-  ...
-}:
-{
-  services.matrix-conduit.settings.global.registration_token =
-    builtins.readFile ../secrets/matrix_reg_token;
-
-  services.caddy.virtualHosts.${service_configs.https.domain}.extraConfig = lib.mkBefore ''
-    header /.well-known/matrix/* Content-Type application/json
-    header /.well-known/matrix/* Access-Control-Allow-Origin *
-    respond /.well-known/matrix/server `{"m.server": "${service_configs.https.matrix_hostname}:${service_configs.ports.https}"}`
-    respond /.well-known/matrix/client `{"m.server":{"base_url":"https://${service_configs.https.matrix_hostname}"},"m.homeserver":{"base_url":"https://${service_configs.https.matrix_hostname}"},"org.matrix.msc3575.proxy":{"base_url":"https://${config.services.matrix-conduit.settings.global.server_name}"}}`
-  '';
-
-  services.caddy.virtualHosts."${service_configs.https.matrix_hostname}".extraConfig = ''
-    reverse_proxy :${builtins.toString config.services.matrix-conduit.settings.global.port}
-  '';
-
-  # Exact duplicate
-  services.caddy.virtualHosts."${service_configs.https.matrix_hostname}:8448".extraConfig =
-    config.services.caddy.virtualHosts."${config.services.matrix-conduit.settings.global.server_name
-    }".extraConfig;
-
-  services.matrix-conduit = {
-    enable = true;
-    package = pkgs.conduwuit;
-
-    settings.global = {
-      port = 6167;
-      server_name = service_configs.https.domain;
-      database_backend = "rocksdb";
-      allow_registration = true;
-
-      new_user_displayname_suffix = "";
-
-      trusted_servers = [
-        "matrix.org"
-        "constellatory.net"
-        "tchncs.de"
-        "envs.net"
-      ];
-
-      # without this, conduit fails to start
-      address = "0.0.0.0";
-    };
-  };
-
-  systemd.tmpfiles.rules = [
-    "Z /var/lib/private/matrix-conduit 0770 conduit conduit"
-  ];
-
-  # for federation
-  networking.firewall.allowedTCPPorts = [
-    8448
-  ];
-
-  # for federation
-  networking.firewall.allowedUDPPorts = [
-    8448
-  ];
-}

services/owntracks.nix

@@ -1,46 +0,0 @@
-{
-  pkgs,
-  service_configs,
-  username,
-  ...
-}:
-let
-  owntracks_pkg = pkgs.owntracks-recorder.overrideAttrs (old: {
-    installPhase = old.installPhase + ''
-      mkdir -p $out/usr/share/ot-recorder
-      cp -R docroot/* $out/usr/share/ot-recorder'';
-  });
-in
-{
-  users.groups.owntracks = { };
-  users.users.owntracks = {
-    isNormalUser = true;
-    group = "owntracks";
-  };
-
-  systemd.services.owntracks = {
-    enable = true;
-    description = "Store and access data published by OwnTracks apps";
-    wantedBy = [ "multi-user.target" ];
-
-    serviceConfig = {
-      User = "owntracks";
-      Group = "owntracks";
-      WorkingDirectory = "${owntracks_pkg}";
-      ExecStart = "${owntracks_pkg}/bin/ot-recorder -S ${service_configs.owntracks.data_dir} --doc-root usr/share/ot-recorder --http-port ${builtins.toString service_configs.ports.owntracks} --port 0";
-    };
-  };
-
-  systemd.tmpfiles.rules = [
-    "Z ${service_configs.owntracks.data_dir} 0770 owntracks owntracks"
-  ];
-
-  services.caddy.virtualHosts."owntracks.${service_configs.https.domain}".extraConfig = ''
-    ${builtins.readFile ../secrets/owntracks_caddy_auth}
-    reverse_proxy :${builtins.toString service_configs.ports.owntracks}
-  '';
-
-  users.users.${username}.extraGroups = [
-    "owntracks"
-  ];
-}

services/qbittorrent.nix

@@ -102,7 +102,7 @@
   ];
 
   services.caddy.virtualHosts."torrent.${service_configs.https.domain}".extraConfig = ''
-    ${builtins.readFile ../secrets/caddy_auth}
+    import ${config.age.secrets.caddy_auth.path}
     reverse_proxy ${service_configs.https.wg_ip}:${builtins.toString config.services.qbittorrent.webuiPort}
   '';
 

services/soulseek.nix

@@ -26,7 +26,7 @@ in
     "skskd_env".text = ''
       #!/bin/sh
       rm -fr ${slskd_env} || true
-      cp ${../secrets/slskd_env} ${slskd_env}
+      cp ${config.age.secrets.slskd_env.path} ${slskd_env}
       chmod 0500 ${slskd_env}
       chown ${config.services.slskd.user}:${config.services.slskd.group} ${slskd_env}
     '';
@@ -67,6 +67,12 @@ in
   users.users.${config.services.jellyfin.user}.extraGroups = [ "music" ];
   users.users.${username}.extraGroups = [ "music" ];
 
+  # Add agenix dependencies for slskd service
+  systemd.services.slskd = {
+    after = [ "agenix.service" ];
+    requires = [ "agenix.service" ];
+  };
+
   systemd.tmpfiles.rules = [
     "Z ${service_configs.music_dir} 0750 ${username} music"
     "Z ${service_configs.slskd.base} 0750 ${config.services.slskd.user} ${config.services.slskd.group}"

services/wg.nix

@@ -2,13 +2,14 @@
   pkgs,
   service_configs,
   eth_interface,
+  config,
   ...
 }:
 {
   # network namespace that is proxied through mullvad
   vpnNamespaces.wg = {
     enable = true;
-    wireguardConfigFile = ../secrets/wg0.conf;
+    wireguardConfigFile = config.age.secrets.wg0-conf.path;
     accessibleFrom = [
       # "192.168.0.0/24"
     ];
@@ -20,13 +21,15 @@
       "network.target"
       "jellyfin.service"
       "qbittorrent.service"
+      "agenix.service"
     ];
+    requires = [ "agenix.service" ];
     wantedBy = [ "multi-user.target" ];
 
     serviceConfig = {
       Type = "simple";
       ExecStart = pkgs.writeShellScript "jellyfin-monitor-start" ''
-        export JELLYFIN_API_KEY=$(cat ${../secrets/jellyfin-api-key})
+        export JELLYFIN_API_KEY=$(cat ${config.age.secrets.jellyfin-api-key.path})
         exec ${
           pkgs.python3.withPackages (ps: with ps; [ requests ])
         }/bin/python ${./jellyfin-qbittorrent-monitor.py}