many changes, hopefully 100% pure now

secrets/hidden_service/forgejo

@@ -1,7 +1,13 @@
-age-encryption.org/v1
+-----BEGIN AGE ENCRYPTED FILE-----
--> ssh-ed25519 OPPxWw EI6x+qUDXzqxQSlCYUbP+7QPZMnjXpltYZtqKGTC0mA
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyAyck1y
-CRKukPnjX7UkoUhvbRqp9R7okrCXSdFOKQ6NqOJOQPM
+VVB6NkJCRm03TEFlZDJlejVXUC8wM1JEVktrNVZweXllV1J3bVZFCjdGZmdaYTNu
--> ssh-ed25519 aO1l/A yYtKmIaqYqE1GtbpZ57LSOvIk3ShAKRxwLhF28+kX04
+QjYyM2F6Y1NuVVpEM0dEYnhzQlpPNUtUeXNJMThiUXIyRTAKLT4gc3NoLWVkMjU1
-G3LaXN/I2MQsibGKQFhaN9fozZc3WTDfduVNpSs8c6c
+MTkgYU8xbC9BIGxTT1E1czg5MUNHWDBZSVFlOXJhbUllaWJBcXBRbDdBN2paSzls
---- l669kOCRaI4AYjSfEnh3ipLsLClXVtsZ7XeCVtYe76A
+aFpmUVkKTFRWOHBKQ1oyaGhBcUJMb0hoY0E0QzVJWnhyMDU1N0JVbngvdzhsaVRn
-S'`–G¡Õhã6mÕ­×ÜÃÝ8Ý&‡Õë#rŠÔå%‡ì@ïòwŽ`oÉ"ƒBÑXeœ¸gN fŒÞPÉd!ÉÞÝ¥©‚Cý½È@Ç<Ypž<70>Có˜Úðˆ3›ýAû/sê"§²¯RÓ<52>¢êwP±ÉJgÔewÇ7®T'# Mÿ`
+SQotPiB7LWdyZWFzZQpJZmFVS3RuRnVoaytGNTJ6WEhyY3F4R2xzUldzY2RwcitY
+NE5CSlM3Tjl1bk9Zek81UE5QN1U0dWcyYXE5elZJCndnCi0tLSBpZjdqVE9md25y
+NU8wbWthSGF3WW1zUitUS1lHV3R6S1M0endKVGVFMmFNClu7vY4vYnmMwdE8G8mj
+oWlGFTWrbKCDb+FWCdcRn8rcMlBiXSoxQ1bV6vqBl4dBnyNxxgnwxqP+axCzFSTf
+9K3tFVMIfIck1/j4GDe6V81bATCT4ZEfTgAiEppXA9jCzR2MULdNmqnZTUV9M/d6
+4lyHd3PEzKimsIMgOWJ9Ds7c
+-----END AGE ENCRYPTED FILE-----

secrets/hidden_service/lldap

@@ -1,7 +1,14 @@
-age-encryption.org/v1
+-----BEGIN AGE ENCRYPTED FILE-----
--> ssh-ed25519 OPPxWw uTCw+F+4qeg9cwzmqutlo73TKh+3gHLlKiNnGtH0pBg
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyBJempn
-/z43V3RLple7a9DQryhGlIuyr4zEkb1VeiP5a/Wj1uE
+ZG8rcUt1Q3JlTm5qV2RheHpkL25LdTFCZkVkaWlwRjRPbzhjMHpnCmMwSVBMeXls
--> ssh-ed25519 aO1l/A 6taX73uwY+2dvd4urZsYuzdz+nCeT1esrgwVK061/Hc
+Rlh1cnorUHdQaCtMUXlGQlovZ3FYWWV4T1JEcEo5bHVzaWcKLT4gc3NoLWVkMjU1
-hijoJqXSWN2yWwm8wJAzn0rxYFVKboov6auJMWJiQoE
+MTkgYU8xbC9BIDcxL1dQampPaytxZU1SZ2JBNXE3VVZ1QXhvVTZaZW5jK25hOGcv
---- on7Z0/l1J9q8zvDBrcLV4vDvfuSpEIuuAAOaMCywwF8
+MTJHQmsKd2ozSVVnVzBZVVphNjRFdVRkVHlzSDYreUFUWS9mWWsxak1weEo3QzlQ
-k×hÔ<EFBFBD>LJ‚8rs°¸1â/}9gîÁSÎ<53>-ˆ€ûîë™—ºÐzUÿ/é$àõlH¢¬
Ytq¤•ª`C25Ÿ‘U‘Í ØtK	>dq¥qp‹ëÒn¼åyxí"4§DÝ~"ÚƒeLAãq¬ÍzW°¤	<09>%V}âk<C3A2>âŸS.™ê²ô
+QQotPiB2b3R0dH05XC1ncmVhc2UgXnA7USByIyxWCm1LcGZyNnlVNW5IRE1iZHds
+RUpsNytsWHo3dDZ4TnA3b2pWS29ITHJBdzBJNFdGSS9obzFzNEJWRm93NXo5eEUK
+Wm5reUZBMG5YdnJDYSswMWpZelpGTjVRUllIbU5QMzZPZW1EZmhVcXQ5YXgKLS0t
+IFpaOWIxdFcwTVcwSGhQeHAyLzZjRUlNSm9yTkVYY0RNaWxWdXdVakhPQzAKM0rz
+5LPzYYJWhkfR5swizeoTsgQ2RFztCCQjbehBAdjjy8a3FS7YNSNXDbl4vHPscM1D
++XyoKyAZFoSVF0bda9FPpSVUH6+rxddh42mZPW45DiPO/ukMyx415dJjAtQipwxk
+RnZ2pT2GLTQ+HVPDGEefWTzjUxH5dOt3awRJEto=
+-----END AGE ENCRYPTED FILE-----

secrets/hidden_service/microbin

@@ -1,7 +1,13 @@
-age-encryption.org/v1
+-----BEGIN AGE ENCRYPTED FILE-----
--> ssh-ed25519 OPPxWw iecDZG4hirn38+rgldEWI2+8/8rq71uWNT+SHlfAiDY
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyBRclQ5
-qx6clYF4hxRBJYYu0KKB7hRfPZwCbHcQpjLL941Z83c
+QXg1NlNOUEkvZkFFd1BCNHZ4M3B2bmtiNEVpNkgwM3B3WU13SEVJClFpR0E3Ty90
--> ssh-ed25519 aO1l/A l5cKreKOle24HArdayk83bPWXfXsRJ+Ra+hQJ/wIbxg
+VjRTbTB2V2dxT1lPN0diREVBcXVGOWh4azdBNGpmNlpVZFkKLT4gc3NoLWVkMjU1
-so31JolmVJl3EFNBMY0+iFnt68e8IE21hPgywlgKEIA
+MTkgYU8xbC9BIE1yYkFuSFV0L3U3elJ6cEhFRWJlYUNRUkk3bGUvRlNKdG54alJr
---- hde73O1LCWGqO/2nrIg8SefxAzPp8ZY1lJFzEOCkNEs
+bDRXV1kKa0JmN3pJVys4TElvNHdvM1I4S2FaRDNiRStnbnhFQURIS3BDNzd6ZWRT
-9Q<02>•›Ú~=÷—{XCϧq†ŽÅÎÇÅ
²$4ü§N¢lkhë˜Ë	©õáÆïŒÜö‡5W³…5bäQk†”jŠÛº2„q¬‘½/}õ<>B<EFBFBD>%Ô+u<>wçŽ6
È-èõ0_;ÂÞ3Êãn¼£ÛdŠ\l—ØÑÄ÷÷> чÉC*¥
+MAotPiBSbC1ncmVhc2UgVD13UW4KOG1COUJ5UTA2bnpaOFpQWnJQNFNKVktLN3V2
+Y3ljaFVRNGwrakswcWhjdDZQUXBSdjA1NTBvZzhrV2dVZ0YvcApOMmU5Ci0tLSBv
+Y1gxSGRyU0JhNEV6RUpxTUJyZjRibEwrSjRzQ3BTYUU1OGpwa2RHQm8wCmL6Q80l
+OQmbq0bY2VRYSg8pPhonpz5YWk0LtUwJEvjBeBvCC6wGEV9S66m/cqjzgQo82fbf
+Ig72HM0gukgAbTRlchamCMm6TGPG8idpNFH82xj4o4t/9zGaMd0IEGJkVofEwJ+K
+SvDbd1f3MBdAJdeOmNl4XEWgKo3SNfVqIxtm
+-----END AGE ENCRYPTED FILE-----

secrets/hidden_service/vaultwarden

@@ -1,7 +1,13 @@
-age-encryption.org/v1
+-----BEGIN AGE ENCRYPTED FILE-----
--> ssh-ed25519 OPPxWw yYJgjjH8GaBc+bDIPHIyyG5tBqDjIe7P/9gNhnNcCGw
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyArMUcr
-SomRbtpu4TqEa16yGBImEXWKNIUGNs5RIw1AT2YrEQg
+U0U5Qk81RFBxNElGZFp0Z2hmZkZXY0w4bEM1dkhhdmhBNElYWVdnCkRudm5ONm9E
--> ssh-ed25519 aO1l/A 1qypu4ZiyZTqEEVEo9Rj8BO3SlPgoPHzn5gMA8SaajU
+c3lxSXhteHZwUGc0aFNvR2NrV2pWdFZLcmV1dVYrSEJqWjAKLT4gc3NoLWVkMjU1
-zPPbrM6mWhhtAuU/3h8/ess31XjHf4kct9HRslv/pwM
+MTkgYU8xbC9BIEpPWURndjBRSUYrQjlqVWR1eTlQcG9ldXlQY0NITi9iVktSMVlE
---- rF+OjMZvtrB5BSHs89xn8i+UitXqqmmDf+UFliwOxgI
+SmxlQmcKbjUrUTcxNzJnL3ducjJmWlNrQzAvdW9RVWtVNGxTWHhSQWFRdS9xZ1NY
-ô)Ý<>BZ׫JÐB1dφ<C38F>CÀF¯ÖI'¸º ü„&nb`éöi<C3B6>ùêï…¢<E280A6>^)@Q¤uÍŠ0þ‹'°–´¸f<C2B8>‡àò8¨gé¶ý0ÏgIAÈ<07>¸Ø°4Ë›£÷<C2A3>å}Ë uíþYÕ›ÙÔv,}<7D>jC§5<C2A7>ÂÔ®‹
+MAotPiAvcmheLWdyZWFzZSBYQUF4XUFuSgplNmRGclRWZFpZT0h5aE0rcGdZam0v
+dnl1VXZvZHJBNTJETWVxVEQ1Z2trTmIwN2krMDJRMFRmMk1DYjViOE4xCjBESE1N
+OExzTGxWc0lCaGw4Nk1xCi0tLSArdWx6c1QzTjdsbmF4Z2k5N2dTVGl3QXZneTZn
+R0NYQUxsSXpRL042ZmRVCuA+WqySyT1dVc48In1Lb8U9CKs91CR1Sg5kr6uy9lY/
+ZbcElyNb+1OKtFxvibUkr0ATRhvtszTMUBy7pQnZxSAk2R2T276t3rTMZnou62+g
+9wIKULSqCqSTFiibOUYkVWKSp6fZkO8aQZaPLe/tbZXuJnS8XmRL9IRhrkalfzlw
+-----END AGE ENCRYPTED FILE-----

secrets/nextcloud-admin-pass

@@ -1,7 +1,11 @@
-age-encryption.org/v1
+-----BEGIN AGE ENCRYPTED FILE-----
--> ssh-ed25519 OPPxWw j1t4iDbd4Vi+cbtcpysshdhjZkXxw3z9Pt3qsfdxeVE
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyBldVpP
-TfYpAStRQENusrVFzX2K1W5SlAKFum7izz6OuZ8BNw0
+c3dtRkp0SHdYdklIeFVBY25TSXJNZEUrTDFTa2g5eXFIRDF2YTNjCmo3RVYzTFVo
--> ssh-ed25519 aO1l/A Gzmig1OCbFrgMB/lBGnlt6ja+9RQGvr7Fvx0dunuhjY
+REFVQUVNNWVFc2x1eFR3QXNEMkhBa3lLY0E0Z2VHUkIrTmMKLT4gc3NoLWVkMjU1
-XnlgWGq/5x8GXlpc5E0vg/SahlQ1xQHkGs6T5XNtPhQ
+MTkgYU8xbC9BIE1aQ3pIVHFhR01nNjFlRlltbmRlSjluVGt2YlQ1NjFoWndNN2Mz
---- sVqR0QBMPSv3pfDQa9xbrWy0+wgvOB/AOVPdPC6fdmI
+a2V1QU0KakVBNEJmR0tnUytZcks0Z2hNcjE5Q3JhdnhnQ3N2Z2ZSZWxxem9wc3JX
-íË•dNUf¥€š ò–¤±¼I/z )Ô蜘{±<>ð†¥Ïq
+SQotPiBvOnskLDNjLWdyZWFzZSA5JEc4VE4gOkwqayJ8LyA8cW8gLDgvCm4zSS82
+ZHpNV1Y3aWtLaHNFQQotLS0gUXBBL1I2TU9sdlY0T1prL0tVSjVmblNSZEJZRlA0
+anhGd1k2UnRSZzVyRQqBRICQ8Gh1EN2BTOjAQpWcgLeUOzkAr/hIDnOQVxxsJUCi
+UzA=
+-----END AGE ENCRYPTED FILE-----

secrets/prosody.env

@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyBoVmdv
+cUd4cTkzd2l3ZldNYUEvd2szMHB1OWc2Ri9iZ1ZBYmdrMUNvY0VFCldiWXlQR3or
+SkxGUkpJV3hVa3dQQ3Y4aHVZNnFvMUc2WDF3TTI0ZlBvNE0KLT4gc3NoLWVkMjU1
+MTkgYU8xbC9BIFpNNXZFL3BGUktpcFNuK1ZncFFzVU5TOGxBVGFCREhuV254NDJl
+UStFWFkKV0pYUCs5a1cwZ0lFVnQwYWxuSWRUOTdkbFVXRVJFS2EyV0lNcWpUTFBH
+dwotPiA/YVg7US1ncmVhc2UgMyA0cSkwMT9eCnhraGV1TGpvSUt3cmlpa2hQK0Fr
+c0tJaHNUSU8yZGcrZkFGSGkxZitWdXNFcHltcVNyTldhS2cKLS0tIFhUV0VTVVdv
+RThrbEtoa2hhclZUR2RtdE9zZlNuTWhvUS84eWZvMk91M0kK1H/r33EJ/8dbaEnA
+QEX1qV/QUfMNhyvMB77UV99qs7REvL7bwM/wryqa7F3gk6Iw+qQFtSLSnWSzW2l2
+7HNj5goQ
+-----END AGE ENCRYPTED FILE-----

secrets/secrets.nix

@@ -9,6 +9,7 @@ let
 in {
   "bind_pw".publicKeys = all;
   "nextcloud-admin-pass".publicKeys = all;
+  "prosody.env".publicKeys = all;
   "vaultwarden.env".publicKeys = all;
 
   "hidden_service/akkoma".publicKeys = all;

secrets/vaultwarden.env

@@ -1,7 +1,11 @@
-age-encryption.org/v1
+-----BEGIN AGE ENCRYPTED FILE-----
--> ssh-ed25519 OPPxWw 61YZPCkKWrN9HtuXp3Pp8FPn5ZHSMS+Uwj11jAo08lI
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9QUHhXdyBSb2kr
-Jf5ZST19jmOEo03+9n+5TWdoY9zP7p82/a/7uYWLl5s
+QkY5NkJmOTczWFJReDZYYUhTNG1ZdWsvYXhhcDBzcVphZ2V3d24wClFWZVl0NjA2
--> ssh-ed25519 aO1l/A RoOPm2ZU1FnqdSMXN7u6DCFmdm0uBrvC5iD448oJOW0
+QXBRSDljZEFEOFZ4RDRaRi80RVh3VmZWQko1cXJjdDhZbnMKLT4gc3NoLWVkMjU1
-TRSOf1Rb267GKvcpri3UVxk1dfDTT3uscvrG5kUOKy8
+MTkgYU8xbC9BIHFEeVlCaGxjWHQ4UkpHUlcrMEc1dmRLNXB2cDVYWFp4dWNpdnFa
---- u6D/Na2naOy7BiTcW1P9U01cb1O0QMWruExMpCevxG8
+UjloM00KVUlhc0VYVFpLTlFvQVpBZ2VtdlozeGVKM2RTMmdiaTdmUTdiQ1A2KzYw
-§]ì çÕd­Pî—Ÿ<E28094>×;ùŸ’°@»þ”’pÁß혂vÑìÃìç1çm©y¥íYñ—ÑS\	´**ÝàCΆêg®ïÉýìçýbÊÒ’ûñ	<09>teª’ýk¾#õÊÆßħ'(Ü<EFBFBD>æ˜öñ	
+TQotPiBwIV0tZ3JlYXNlIDozRiA1KnxSdwplQQotLS0geW9sOHBiVlQ2ck50R3lQ
+T1U0M3k0K0lJVnJMWkYzcWROUDhvVUEvQWk4awr9RgWpAJ3q1gB4FmrukNJ1XTRG
+q1Dpa6WxaY8lhOmXg0JIVxcp59zHTTZmSL5bisx5F0OtGDxnXcB3ssNbcvIqSx2c
+/pZzFkrTk/HQjmK0kzC/QoxOEwMTCD3hdimyWJUxXq868WrigoSRWerQ
+-----END AGE ENCRYPTED FILE-----

services/mailserver.nix

@@ -1,4 +1,6 @@
 {config, ...}: {
+  age.secrets."bind_pw".file = ../secrets/bind_pw;
+
   mailserver = {
     stateVersion = 3;
     enable = true;

services/prosody.nix

@@ -3,7 +3,7 @@
   config,
   ...
 }: {
-  age.secrets."bind_pw".file = ../secrets/bind_pw;
+  age.secrets."prosody.env".file = ../secrets/prosody.env;
 
   services = {
     prosody = {
@@ -30,7 +30,7 @@
         ldap_base = "ou=people,dc=distrust,dc=network"
         ldap_server = "localhost:3890"
         ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
-        ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}"
+        ldap_password = os.getenv("LDAP_BIND_PASSWORD")
       '';
     };
     caddy.virtualHosts."distrust.network".extraConfig = ''
@@ -72,9 +72,6 @@
   networking.firewall.allowedTCPPorts = [5222 5269 5281 5000];
 
   systemd.services.caddy.serviceConfig.SupplementaryGroups = ["acme"];
-  systemd.services.prosody = {
+  systemd.services.prosody.serviceConfig.SupplementaryGroups = ["acme"];
-    #  requires = [ "acme-order-renew-chat.distrust.network.service" ];
+  systemd.services.prosody.serviceConfig.EnvironmentFile = config.age.secrets."prosody.env".path;
-    #  after = [ "acme-order-renew-chat.distrust.network.service" ];
-    serviceConfig.SupplementaryGroups = ["acme"];
-  };
 }

system/configuration.nix

@@ -1,7 +1,7 @@
 {pkgs, ...}: let
   updateScript = pkgs.writeShellScriptBin "rebuild" ''
     #!/bin/sh
-    nixos-rebuild switch --flake /etc/nixos#distrust --impure
+    nixos-rebuild switch --flake git+https://git.distrust.network/root/flake#distrust
   '';
   tor-hostname = import ../helpers/tor-hostname.nix {inherit pkgs;};
 in {