Revert "feat(nixos-server): Switch from agenix to opnix"

This reverts commit 646bfdb.

flake.nix

@@ -5,10 +5,6 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     catppuccin.url = "github:catppuccin/nix";
     tokyonight.url = "github:mrjones2014/tokyonight.nix";
-    opnix = {
-      url = "github:mrjones2014/opnix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
     wezterm-nightly = {
       url = "github:wez/wezterm?dir=nix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -29,9 +25,13 @@
       url = "github:1Password/shell-plugins";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = inputs@{ self, nixpkgs, home-manager, opnix, ... }: {
+  outputs = inputs@{ self, nixpkgs, home-manager, agenix, ... }: {
     nixosConfigurations = {
       server = nixpkgs.lib.nixosSystem {
         specialArgs = {
@@ -43,7 +43,11 @@
         system = "x86_64-linux";
         modules = [
           home-manager.nixosModules.home-manager
-          opnix.nixosModules.default
+          agenix.nixosModules.default
+          {
+            environment.systemPackages =
+              [ agenix.packages.x86_64-linux.default ];
+          }
           ./nixos-modules/common.nix
           ./hosts/server
           {

hosts/server/default.nix

@@ -1,4 +1,4 @@
-{ inputs, lib, ... }: {
+{ inputs, ... }: {
   # This option defines the first version of NixOS you have installed on this particular machine,
   # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
   #
@@ -21,12 +21,9 @@
   environment.systemPackages =
     [ inputs.wezterm-nightly.packages.x86_64-linux.default ];
 
-  nixpkgs.config.allowUnfreePredicate = pkg:
-    builtins.elem (lib.getName pkg) [ "1password-cli" ];
-  opnix.environmentFile = "/etc/opnix.env";
-
   imports = [
     ./hardware-configuration.nix
+    ./secrets.nix
     ./ollama.nix
     ./content.nix
     ./nas.nix

hosts/server/deluge.nix

@@ -1,30 +1,16 @@
-let configDir = "/var/lib/delugevpn";
+{ config, ... }:
+let
+  configDir = "/var/lib/delugevpn";
+  wireguardConfigPath = config.age.secrets.mullvad_wireguard.path;
 in {
-  opnix = {
-    secrets.mullvad_wireguard_conf = {
-      source = ''
-        [Interface]
-        # Device: Clever Ibex
-        PrivateKey = {{ op://nixos-server/Mullvad VPN Private Key/Private Key }}
-        Address = 10.64.35.106/32,fc00:bbbb:bbbb:bb01::1:2369/128
-        DNS = 10.64.0.1
-        PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
-        PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
-
-        [Peer]
-        PublicKey = IzqkjVCdJYC1AShILfzebchTlKCqVCt/SMEXolaS3Uc=
-        AllowedIPs = 0.0.0.0/0,::0/0
-        Endpoint = 143.244.47.65:51820
-      '';
-      path = "${configDir}/wireguard/mullvad_wireguard.conf";
-    };
-    systemdWantedBy = [ "podman-delugevpn" ];
-  };
 
   systemd.tmpfiles.rules = [
     "d ${configDir} 055 delugevpn delugevpn - -"
     "d ${configDir}/wireguard 055 delugevpn delugevpn - -"
   ];
+  system.activationScripts.copyWireguardConfigIntoContainer.text = ''
+    mkdir -p ${configDir}/wireguard && cp ${wireguardConfigPath} ${configDir}/wireguard/mullvad_wireguard.conf
+  '';
   networking.firewall = {
     allowedTCPPorts = [ 8112 8118 58846 58946 ];
     allowedUDPPorts = [ 8112 8118 58846 58946 ];

hosts/server/homepage.nix

@@ -1,20 +1,8 @@
 { config, ... }: {
-  opnix = {
-    secrets.homepage_env_file.source = ''
-      HOMEPAGE_VAR_NEXTDNS_API_KEY="{{ op://nixos-server/NextDNS/API Key }}"
-      HOMEPAGE_VAR_JELLYSEERR_API_KEY="{{ op://nixos-server/Jellyfin/Jellyseerr API Key }}"
-      HOMEPAGE_VAR_JELLYFIN_API_KEY="{{ op://nixos-server/Jellyfin/Jellyfin API Key }}"
-      HOMEPAGE_VAR_DELUGE_PASSWORD="{{ op://nixos-server/Deluge/password }}"
-      HOMEPAGE_VAR_SONARR_API_KEY="{{ op://nixos-server/dfbnv6enwexvbz2apxgdlzul3m/Sonarr API Key }}"
-      HOMEPAGE_VAR_RADARR_API_KEY="{{ op://nixos-server/dfbnv6enwexvbz2apxgdlzul3m/Radarr API Key }}"
-      HOMEPAGE_VAR_BAZARR_API_KEY="{{ op://nixos-server/dfbnv6enwexvbz2apxgdlzul3m/Bazarr API Key }}"
-    '';
-    systemdWantedBy = [ "homepage-dashboard" ];
-  };
   services.homepage-dashboard = {
     enable = true;
     openFirewall = true;
-    environmentFile = config.opnix.secrets.homepage_env_file.path;
+    environmentFile = config.age.secrets.homepage.path;
     settings = {
       theme = "dark";
       background =

hosts/server/secrets.nix

@@ -0,0 +1,9 @@
+{
+  age = {
+    secrets = {
+      mullvad_wireguard.file = ../../mullvad_wireguard.age;
+      homepage.file = ../../homepage.age;
+      wireguard_server.file = ../../wireguard_server.age;
+    };
+  };
+}

hosts/server/wireguard.nix

@@ -9,13 +9,6 @@ in {
     enable = true;
     settings = { interface = wireguard_interface; };
   };
-
-  opnix = {
-    secrets.wg_private_key.source =
-      "{{ op://nixos-server/Wireguard Home VPN/Server Private Key }}";
-    systemdWantedBy = [ "wg-quick-${wireguard_interface}" ];
-  };
-
   networking = {
     # Enable NAT
     nat = {
@@ -37,7 +30,7 @@ in {
         # The port that WireGuard listens to - recommended that this be changed from default
         listenPort = wireguard_port;
         # Path to the server's private key
-        privateKeyFile = config.opnix.secrets.wg_private_key.path;
+        privateKeyFile = config.age.secrets.wireguard_server.path;
 
         # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
         postUp = ''

secrets.nix

@@ -0,0 +1,17 @@
+# This module is NOT imported into the NixOS config,
+# it is only used by the agenix CLI to determine which
+# keys to use to encrypt secrets.
+let
+  # my public key
+  users = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDXHRx83f5MWdhcEHXduTINyUu6yqd2eOgZHE0XNYFlO mat@nixos-server"
+  ];
+  # server host key
+  systems = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUa3f8x3mb2fHF5JXjGKdWF5EUX8GQj7hMhEUn7LffI root@nixos-server"
+  ];
+in {
+  "mullvad_wireguard.age".publicKeys = users ++ systems;
+  "homepage.age".publicKeys = users ++ systems;
+  "wireguard_server.age".publicKeys = users ++ systems;
+}

wireguard_server.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 FeK1Dw QonlTODP9dEYT8Kd2Uokr1J0YyPk/mTHRp1uPtVuKXE
+k2MwbDTcJKdImB0uckZR5pW7VTvbs2kbQnu9LpsLA5s
+-> ssh-ed25519 kfVkkw 0F5xVfkfEGltzBDHV1PF/Er656n1MjBr9Yoqe/Ji5Vo
+2IiYHU+d3V/JCSEtmuPvDSsPv38sX1ns4SM9cYsOiVE
+--- wT31A5BaM+VUbKRwO86efENRIiJc5eIrmYiZ3iXhuU8
+�R.sp�Rլti�ĉU��~x���O\��z�\�_��%15:T��dyJv	To�vW�*K��,�W�ƈAK�s��