From b4f4c69c42551e50bd809d758afb1780ce73c9c7 Mon Sep 17 00:00:00 2001
From: Giulio De Pasquale <git@depasquale.giugl.io>
Date: Fri, 6 Dec 2024 21:17:00 +0000
Subject: [PATCH] feat(nextcloud): switch to age-protected secrets

---
 hosts/architect/nextcloud.nix  |  17 ++++++++++++++---
 secrets/nextcloud-admin.age    | Bin 0 -> 1501 bytes
 secrets/nextcloud-database.age |  27 +++++++++++++++++++++++++++
 secrets/secrets.nix            |   2 ++
 4 files changed, 43 insertions(+), 3 deletions(-)
 create mode 100644 secrets/nextcloud-admin.age
 create mode 100644 secrets/nextcloud-database.age
diff --git a/hosts/architect/nextcloud.nix b/hosts/architect/nextcloud.nix
index 4e343e5..61b209f 100644
--- a/hosts/architect/nextcloud.nix
+++ b/hosts/architect/nextcloud.nix
@@ -8,6 +8,17 @@ let
   inherit (utilities) architectInterfaceAddress;
 in
 {
+  age.secrets = {
+    nextcloud-admin = {
+      file = ../../secrets/nextcloud-admin.age;
+      owner = "nextcloud";
+    };
+    nextcloud-database = {
+      file = ../../secrets/nextcloud-database.age;
+      owner = "nextcloud";
+    };
+  };
+
   environment.systemPackages = with pkgs; [
     nodejs-18_x
     libtensorflow
@@ -62,14 +73,14 @@ in
       settings = {
         overwriteprotocol = "https";
       };
-      
+
       config = {
         dbtype = "mysql";
         dbuser = "nextcloud";
         dbhost = "localhost";
         dbname = "nextcloud";
-        dbpassFile = "/secrets/nextcloud/dbpass.txt";
-        adminpassFile = "/secrets/nextcloud/dbpass.txt";
+        dbpassFile = config.age.secrets.nextcloud-database.path;
+        adminpassFile = config.age.secrets.nextcloud-admin.path;
       };
     };
   };
diff --git a/secrets/nextcloud-admin.age b/secrets/nextcloud-admin.age
new file mode 100644
index 0000000000000000000000000000000000000000..bc9c1ec4a1dd423b8165bb32a634a6a56559e5c6
GIT binary patch
literal 1501
zcmXw&OY8J@0fk)$DY)rEDE{5J8U9T&NhX;^ExAmtliTE;l}RSa<nqh?I$#T~?7Qf?
zg$kB#1pNZ8+zN`|Qj~6r;M#2w`nu>RIEUvvC(6^;v`L1&n~Ju1za4UTL7~^5zl`JK
zbr_=;(+}_M3SC9Jh@u$-`kW-4YNcqEQByAo9ZevjQY(ZKEHr(MGZG$8dXuj8WzLCV
zBQcClmJYII`QXP76Fsq3Kbh83dEN!j-iRwbkc5%}#v0g86xvR>Y33l>E38Mgg31zg
z<|LGY(tKJYqfERz4a|8T4xA`UI~)my<Kn|?V~@u}?x-3ro=g@TmVQDa{xAhtA?^E7
zx1mEC@e3h1Png&fPGKFi1N=C%xqo!g8ja63Me&4Z9jJk<E_<06Yu+0Aq8$|+q=*73
zR_H2xfe+x~GT?|1OJ?bOwci<3;t{R)4N3+CLthcn$(>`?WIn4#v3W7Zlp-}4Qkyei
z%Y=asaWBA?M<b{k1T&Bw>Uf>mOG^)vWN-BdTvj&h{@Jy=h<OL6C2QI~z!0Dt+|E`Z
z%l2y*3~lO*j<S#oYIe>uL<X1Gjhf*=h&<w*xs9lr-0iG%b|E*X^PoZ6IrAyHq@1TL
z&$Ym0k?rUV$vdae?6&*Ew=T0+kLRaxinlq4@g@_S<ZyP(`Pcy;hn^D+U!GXL^X59M
z+e6H-)2`;nDW$6rt&&Ft>^n`aoy4jnG4}bqg#>8C_|ByLcFLf0MEjnLRyjTooZXr0
z)%ERh0@5Qmagr4y)9O{TkmWAzap9#wi#fIez^f*5Zt<Xi3K14?!({cHM^LN~`$oF9
zS4L)%+YZmmCeYYfnFbAin%{ez-j4)<o?pmR=*9Kr7V2%e<Rux}`N(kID9ti_zxKJd
z@qw}5cx%4br!+JX3F^4x>|C4f4*025743-5hYeHxOxC1<8|+kyk&r5G21kFN_W##R
zIyMM7R07eYlT+|^6^&vzL>s*#H8;gVgixC#WEyuY3{=f$lm<h3X0iZCy@YkqAS*{R
zfsTI6*jKX%Wpm)>M4B6MbjX~5gJjKegR{qDpw<D(DBO5(eCKAiq6BB8kWIT>pPo>w
zVr_FX6xn+;tkb8xm=+t66mcyN%V^x1kt=IhU;W%d5Ct#XhEO8iw%SMXDEUZ&D1*|X
zMnX5<x>SjrF$p-C)aIDiks@(@F5>n82bS@+_bsdp>cr({2G)nO<QMu<Gf<t|M7X7M
z>2cMzska5AFjSS<yr`)C&au9a)iM=sTw3w$CLxW7F+~S3geUwmcNS=hQ&UXTVGQ;%
zf^Ud$vbXleF+(`3qPtzQqQBl(OW^xO*r=9wH>HX1Ne=4-X**R79k_lzH??o!gBQ_h
z<qb0axNx`#3R0_=<*?GesR{%u-L=hQdXE>T+6N{mb(nAM4WiJXby<@DLX(J-LvAU0
z0%@x|cnM-wYI7-hi+}HliGxXD*km-a8j0RjmwF~caf6`O*VmV|*I;74uDlP%sGHzE
z)q#|mW5-mzhrztT0R|Hkrlk-_1t0zHtKWWne)sEN{otLS<v;%OumALqze2{pfB&~n
zaOs_YefgK4em?&3!}tFO{pW*kzkTmb@%K;OeEQ9QzxW0I!$17yP3V61&-Z@v%OB<6
E0Wie-8vp<R

literal 0
HcmV?d00001

diff --git a/secrets/nextcloud-database.age b/secrets/nextcloud-database.age
new file mode 100644
index 0000000..41e7eb6
--- /dev/null
+++ b/secrets/nextcloud-database.age
@@ -0,0 +1,27 @@
+age-encryption.org/v1
+-> ssh-rsa QXZdow
+JFZ512g1V5fHSCDuxPcpFGSSAzI6326lbmmQaepxfPyTzZpK5Qo7WaUeF0dCmwi1
+mwS038cbo57hPnuGapJtrqggiVm8B53rli7xlwFQCydVkxnKPSvcERI8KphEn1K5
+1YGeU6XdqqNyv1NSV9V8A4Y74LMk1H+igWR5sWZnO6sQi7LLAwfL+BsskdwY0ZuW
+9TOzkeZtgU5qy9IbN6liouEMliO660q1sb+OxQFP8pVIS3xt9mD2IE4W3hP9aZyF
+JHUZPizwF+HvspR8oMV4R7JI4gexBwnMVeu4HVu+ayY2udQvr2DNxQNHM66zClPo
+7G67rblH6IfCOrOieqIVvYrbJQuSZip4npnQyXVXzg/wQ6CGu0k4E8wF1xHFYKAO
+LGWK8uUxffC1ITEfNMaSs/3AKMuqBsJcDXYYe4yq4lJYxSfwXbu+G6aqOgHYAe7p
+LBQgl5Dn19r/7zKRLJTK4eJ0ah8bnWWTU9FcHAJbqKFYK6DW+syqFYinXfwt9AQI
+g0w5apgPm/B3PX0wKiabci8c4AZ6n2JVWvI9sJkhcL5t93JS9uBsgxzc3Hv4nu3E
+zD1Skp648In+oQ+6xuDmIuEuu8xIhGwU3jhJeIiTZwX54wj35v/gNLU2sH1hK/90
+vyJcZClmpGDsOu/vHeKPSfP29MEzlahA5dZS0DDkt58
+-> ssh-ed25519 7eGqHw AJlmB4Up3Zs4gNdfRRt8zZ5r1M8DcXSdj7B09VUlYCk
+Vteh5QnSqhIrXm10zdOjP+Lhm3qwABqGgQFHfrnrjH4
+-> ssh-rsa tO3rGg
+VPAsazrTmffI7Y0LOsLwAoeOtz9lnDm3vYTDcFi8DoJcHsXDh2cYib1hET4noWLf
+gFQiP30rNKTvkBDeThdH5opyZbO9BfDX1IgJo5Fm7yO3LdSWB44fL3Mn8HoMKGkn
+d6TKM0ZxDZAkApTMcKHjHlcnWgy5sGxW0pHDnBvCCqsQHqRywcGDZTVhmxshLxQw
+giQo3ZI8fzD436bY+rWYJtqWKcOnBLGEiFoWJr9qfLcG2FwB0xLppfX7S6htLQpn
+btqafMtA8HgGVkVGC+uADqghPGzO/rN/z571xvZ6F4GyeB1/2RbVX62N4jN8FlPc
++6UWe3kgxM9cOedpwYPqte3gIETWBxlfpspOfVaRv6qMx6ZM1mPsP1qTpQNUabm2
+2Ale/EkLnfYzwXmaiql0/oEuqq7Dp806XP5AcKxZHNUJeZHRdqOUHGCNJzfAO3H4
+uazZGDtZR+pSq0QwEZqp1GoodtzCbBnbko5ZwVYXIXc1gSbwvP6ZW/5HiPEM0jaM
+
+--- TXLi+4AqW9L3grKPVMBDb75OHyjatQzBxUlI4Xe1eMw
+ÛÞÁ }ccn‡ó…¹'Ï’F¥At«5ËT Æµ –E]Òx7írÑ|kô§ÿµI°mÅ‹¼ú×%‚}’´¿‰¬#=J.
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 5cd11d0..7c5f8d4 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,4 +7,6 @@ in
 {
   "matrix-synapse.age".publicKeys = pubkeys;
   "teslamate.age".publicKeys = pubkeys;
+  "nextcloud-admin.age".publicKeys = pubkeys;
+  "nextcloud-database.age".publicKeys = pubkeys;
 }
