feat(nixos-server): Switch from agenix to opnix

flake.nix

@@ -5,6 +5,10 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     catppuccin.url = "github:catppuccin/nix";
     tokyonight.url = "github:mrjones2014/tokyonight.nix";
+    opnix = {
+      url = "github:mrjones2014/opnix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     wezterm-nightly = {
       url = "github:wez/wezterm?dir=nix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -25,13 +29,9 @@
       url = "github:1Password/shell-plugins";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    agenix = {
-      url = "github:ryantm/agenix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
   };
 
-  outputs = inputs@{ self, nixpkgs, home-manager, agenix, ... }: {
+  outputs = inputs@{ self, nixpkgs, home-manager, opnix, ... }: {
     nixosConfigurations = {
       server = nixpkgs.lib.nixosSystem {
         specialArgs = {
@@ -43,11 +43,7 @@
         system = "x86_64-linux";
         modules = [
           home-manager.nixosModules.home-manager
-          agenix.nixosModules.default
-          {
-            environment.systemPackages =
-              [ agenix.packages.x86_64-linux.default ];
-          }
+          opnix.nixosModules.default
           ./nixos-modules/common.nix
           ./hosts/server
           {

hosts/server/default.nix

@@ -1,4 +1,4 @@
-{ inputs, ... }: {
+{ inputs, lib, ... }: {
   # This option defines the first version of NixOS you have installed on this particular machine,
   # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
   #
@@ -21,9 +21,12 @@
   environment.systemPackages =
     [ inputs.wezterm-nightly.packages.x86_64-linux.default ];
 
+  nixpkgs.config.allowUnfreePredicate = pkg:
+    builtins.elem (lib.getName pkg) [ "1password-cli" ];
+  opnix.environmentFile = "/etc/opnix.env";
+
   imports = [
     ./hardware-configuration.nix
-    ./secrets.nix
     ./ollama.nix
     ./content.nix
     ./nas.nix

hosts/server/deluge.nix

@@ -1,16 +1,30 @@
-{ config, ... }:
-let
-  configDir = "/var/lib/delugevpn";
-  wireguardConfigPath = config.age.secrets.mullvad_wireguard.path;
+let configDir = "/var/lib/delugevpn";
 in {
+  opnix = {
+    secrets.mullvad_wireguard_conf = {
+      source = ''
+        [Interface]
+        # Device: Clever Ibex
+        PrivateKey = {{ op://nixos-server/Mullvad VPN Private Key/Private Key }}
+        Address = 10.64.35.106/32,fc00:bbbb:bbbb:bb01::1:2369/128
+        DNS = 10.64.0.1
+        PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+        PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+
+        [Peer]
+        PublicKey = IzqkjVCdJYC1AShILfzebchTlKCqVCt/SMEXolaS3Uc=
+        AllowedIPs = 0.0.0.0/0,::0/0
+        Endpoint = 143.244.47.65:51820
+      '';
+      path = "${configDir}/wireguard/mullvad_wireguard.conf";
+    };
+    systemdWantedBy = [ "podman-delugevpn" ];
+  };
 
   systemd.tmpfiles.rules = [
     "d ${configDir} 055 delugevpn delugevpn - -"
     "d ${configDir}/wireguard 055 delugevpn delugevpn - -"
   ];
-  system.activationScripts.copyWireguardConfigIntoContainer.text = ''
-    mkdir -p ${configDir}/wireguard && cp ${wireguardConfigPath} ${configDir}/wireguard/mullvad_wireguard.conf
-  '';
   networking.firewall = {
     allowedTCPPorts = [ 8112 8118 58846 58946 ];
     allowedUDPPorts = [ 8112 8118 58846 58946 ];

hosts/server/homepage.nix

@@ -1,8 +1,20 @@
 { config, ... }: {
+  opnix = {
+    secrets.homepage_env_file.source = ''
+      HOMEPAGE_VAR_NEXTDNS_API_KEY="{{ op://nixos-server/NextDNS/API Key }}"
+      HOMEPAGE_VAR_JELLYSEERR_API_KEY="{{ op://nixos-server/Jellyfin/Jellyseerr API Key }}"
+      HOMEPAGE_VAR_JELLYFIN_API_KEY="{{ op://nixos-server/Jellyfin/Jellyfin API Key }}"
+      HOMEPAGE_VAR_DELUGE_PASSWORD="{{ op://nixos-server/Deluge/password }}"
+      HOMEPAGE_VAR_SONARR_API_KEY="{{ op://nixos-server/dfbnv6enwexvbz2apxgdlzul3m/Sonarr API Key }}"
+      HOMEPAGE_VAR_RADARR_API_KEY="{{ op://nixos-server/dfbnv6enwexvbz2apxgdlzul3m/Radarr API Key }}"
+      HOMEPAGE_VAR_BAZARR_API_KEY="{{ op://nixos-server/dfbnv6enwexvbz2apxgdlzul3m/Bazarr API Key }}"
+    '';
+    systemdWantedBy = [ "homepage-dashboard" ];
+  };
   services.homepage-dashboard = {
     enable = true;
     openFirewall = true;
-    environmentFile = config.age.secrets.homepage.path;
+    environmentFile = config.opnix.secrets.homepage_env_file.path;
     settings = {
       theme = "dark";
       background =

hosts/server/wireguard.nix

@@ -9,6 +9,13 @@ in {
     enable = true;
     settings = { interface = wireguard_interface; };
   };
+
+  opnix = {
+    secrets.wg_private_key.source =
+      "{{ op://nixos-server/Wireguard Home VPN/Server Private Key }}";
+    systemdWantedBy = [ "wg-quick-${wireguard_interface}" ];
+  };
+
   networking = {
     # Enable NAT
     nat = {
@@ -30,7 +37,7 @@ in {
         # The port that WireGuard listens to - recommended that this be changed from default
         listenPort = wireguard_port;
         # Path to the server's private key
-        privateKeyFile = config.age.secrets.wireguard_server.path;
+        privateKeyFile = config.opnix.secrets.wg_private_key.path;
 
         # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
         postUp = ''