Commit 6dd3a417b475

Vincent Demeester <vincent@sbr.pm>
2025-11-23 11:36:34
feat(systems/rhea): Integrate agenix for Traefik secrets and simplify domains
- Manage Gandi API key securely via agenix instead of plain file - Simplify domain names to {service}.sbr.pm format - Add t.sbr.pm shortcut for transmission access Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent d5596e2
Changed files (3)
secrets
rhea
gandi.env.age
systems
rhea
extra.nix
secrets.nix
secrets/rhea/gandi.env.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> piv-p256 ItIHHA A0Ax99/9UW3796qOw+XSP8LIqI+vfIGrI7EP9fOCVpM2
+Me0lR642s5xNJOUwK0KH6MfyeubbXzYDFOHLUQH5nGg
+-> piv-p256 ViCCtQ AvZBUHt5bRDsc8gcid3cl/it/TnedBqfbllp+vUnn9pf
+WobvFzKpZTdWWQ+t+ca0PWAUJLdZxZNuB39fvRu2YIk
+-> ssh-ed25519 EboMJg 3L5nvj8TL4X6yEFIBd6ZJqPEdG3kAem9XJDicDFbRz8
+OEe20ucrs+Twe3wPZNZjh37WoL4esbSCkWoqmUS3avo
+--- EVUEG2OxJTrMTMD6aoZCG0GmGjk1HNEQIwvWSQ3cp1Y
+ol��~��/�������L��:l
T`^�k�Ae�&9'��3'vC�����a�_)d���{�
����aN�A���
\ No newline at end of file
systems/rhea/extra.nix
@@ -3,6 +3,7 @@
   globals,
   lib,
   pkgs,
+  config,
   ...
 }:
 let
@@ -11,7 +12,7 @@ let
     http = {
       routers = {
         jellyfin = {
-          rule = "Host(`jellyfin.rhea.sbr.pm`)";
+          rule = "Host(`jellyfin.sbr.pm`)";
           service = "jellyfin";
           entryPoints = [ "websecure" ];
           tls = {
@@ -19,7 +20,7 @@ let
           };
         };
         jellyseerr = {
-          rule = "Host(`jellyseerr.rhea.sbr.pm`)";
+          rule = "Host(`jellyseerr.sbr.pm`)";
           service = "jellyseerr";
           entryPoints = [ "websecure" ];
           tls = {
@@ -27,7 +28,7 @@ let
           };
         };
         sonarr = {
-          rule = "Host(`sonarr.rhea.sbr.pm`)";
+          rule = "Host(`sonarr.sbr.pm`)";
           service = "sonarr";
           entryPoints = [ "websecure" ];
           tls = {
@@ -35,7 +36,7 @@ let
           };
         };
         radarr = {
-          rule = "Host(`radarr.rhea.sbr.pm`)";
+          rule = "Host(`radarr.sbr.pm`)";
           service = "radarr";
           entryPoints = [ "websecure" ];
           tls = {
@@ -43,7 +44,7 @@ let
           };
         };
         lidarr = {
-          rule = "Host(`lidarr.rhea.sbr.pm`)";
+          rule = "Host(`lidarr.sbr.pm`)";
           service = "lidarr";
           entryPoints = [ "websecure" ];
           tls = {
@@ -51,7 +52,7 @@ let
           };
         };
         bazarr = {
-          rule = "Host(`bazarr.rhea.sbr.pm`)";
+          rule = "Host(`bazarr.sbr.pm`)";
           service = "bazarr";
           entryPoints = [ "websecure" ];
           tls = {
@@ -59,7 +60,7 @@ let
           };
         };
         transmission = {
-          rule = "Host(`transmission.rhea.sbr.pm`)";
+          rule = "Host(`transmission.sbr.pm`) || Host(`t.sbr.pm`)";
           service = "transmission";
           entryPoints = [ "websecure" ];
           tls = {
@@ -122,6 +123,13 @@ let
   };
 in
 {
+  age.secrets."gandi.env" = {
+    file = ../../secrets/rhea/gandi.env.age;
+    mode = "400";
+    owner = "traefik";
+    group = "traefik";
+  };
+
   users.users.vincent.linger = true;
 
   services = {
@@ -356,11 +364,9 @@ in
     443
   ];
 
-  # Environment file for Gandi API key
-  # You'll need to create /var/lib/traefik/gandi.env with:
-  # GANDIV5_API_KEY=your_api_key_here
+  # Environment file for Gandi API key (managed by agenix)
   systemd.services.traefik.serviceConfig = {
-    EnvironmentFile = "/var/lib/traefik/gandi.env";
+    EnvironmentFile = config.age.secrets."gandi.env".path;
   };
 
   environment.systemPackages = with pkgs; [
secrets.nix
@@ -12,6 +12,7 @@ let
   athena = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/4KRP1rzOwyA2zP1Nf1WlLRHqAGutLtOHYWfH732xh"; # ssh-keyscan -q -t ed25519 athena.sbr.pm
   demeter = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqQfEyHyjIGglayB9FtCqL7bnYfNSQlBXks2IuyCPmd"; # ssh-keyscan -q -t ed25519 demeter.sbr.pm
   kerkouane = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJguVoQYObRLyNxELFc3ai2yDJ25+naiM3tKrBGuxwwA"; # ssh-keyscan -q -t ed25519 kerkouane.sbr.pm
+  rhea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFH3Lk4bRgNyFRK/Hzg1PvVbL/dpyI1SmLJFkb6VQDw"; # ssh-keyscan -q -t ed25519 rhea.sbr.pm
   sakhalin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/PMBThi4DhgZR8VywbRDzzMVh2Qp3T6NJAcPubfXz6"; # ssh-keyscan -q -t ed25519 sakhalin.sbr.pm
   shikoku = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH18c6kcorVbK2TwCgdewL6nQf29Cd5BVTeq8nRYUigm"; # ssh-keyscan -q -t ed25519 shikoku.sbr.pm
   # wakasu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrAh07USjRnAdS3mMNGdKee1KumjYDLzgXaiZ5LYi2D"; # ssh-keyscan -q -t ed25519 wakasu.sbr.pm
@@ -27,6 +28,7 @@ let
     athena
     demeter
     kerkouane
+    rhea
     sakhalin
     shikoku
   ];
@@ -90,4 +92,5 @@ in
   # Others
   "secrets/minica.pem.age".publicKeys = users ++ systems;
   "secrets/shikoku/aria2rpcsecret.age".publicKeys = users ++ [ shikoku ];
+  "secrets/rhea/gandi.env.age".publicKeys = users ++ [ rhea ];
 }