claude'd better security things

2025-10-17 19:35:58 -04:00
parent 9e35448f04
commit f9515dd160
34 changed files with 327 additions and 144 deletions
--- a/services/wg.nix
+++ b/services/wg.nix
@@ -2,13 +2,14 @@
  pkgs,
  service_configs,
  eth_interface,
+  config,
  ...
 }:
 {
  # network namespace that is proxied through mullvad
  vpnNamespaces.wg = {
    enable = true;
-    wireguardConfigFile = ../secrets/wg0.conf;
+    wireguardConfigFile = config.age.secrets.wg0-conf.path;
    accessibleFrom = [
      # "192.168.0.0/24"
    ];
@@ -20,13 +21,15 @@
      "network.target"
      "jellyfin.service"
      "qbittorrent.service"
+      "agenix.service"
    ];
+    requires = [ "agenix.service" ];
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      Type = "simple";
      ExecStart = pkgs.writeShellScript "jellyfin-monitor-start" ''
-        export JELLYFIN_API_KEY=$(cat ${../secrets/jellyfin-api-key})
+        export JELLYFIN_API_KEY=$(cat ${config.age.secrets.jellyfin-api-key.path})
        exec ${
          pkgs.python3.withPackages (ps: with ps; [ requests ])
        }/bin/python ${./jellyfin-qbittorrent-monitor.py}