feat: use kanidm secret provisioning

hosts/sentinel/oauth2.nix

@@ -2,6 +2,7 @@
   lib,
   config,
   pkgs,
+  nodes,
   ...
 }: {
   meta.oauth2_proxy = {
@@ -11,8 +12,27 @@
     # TODO portal redirect to dashboard (in case someone clicks on kanidm "Web services")
   };
 
-  age.secrets.oauth2-proxy-secret = {
-    rekeyFile = ./secrets/oauth2-proxy-secret.age;
+  age.secrets.oauth2-cookie-secret = {
+    rekeyFile = ./secrets/oauth2-cookie-secret.age;
+    mode = "440";
+    group = "oauth2_proxy";
+  };
+
+  # Mirror the original oauth2 secret, but prepend OAUTH2_PROXY_CLIENT_SECRET=
+  # so it can be used as an EnvironmentFile
+  age.secrets.oauth2-client-secret = {
+    generator.dependencies = [
+      nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-web-sentinel
+    ];
+    generator.script = {
+      lib,
+      decrypt,
+      deps,
+      ...
+    }: ''
+      echo -n "OAUTH2_PROXY_CLIENT_SECRET="
+      ${decrypt} ${lib.escapeShellArg (lib.head deps).file}
+    '';
     mode = "440";
     group = "oauth2_proxy";
   };
@@ -26,7 +46,7 @@
     redeemURL = "https://${config.networking.providedDomains.kanidm}/oauth2/token";
     validateURL = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/userinfo";
     clientID = clientId;
-    keyFile = config.age.secrets.oauth2-proxy-secret.path;
+    keyFile = config.age.secrets.oauth2-cookie-secret.path;
     email.domains = ["*"];
 
     extraConfig = {

hosts/sentinel/secrets/oauth2-cookie-secret.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 KdpmgjrRS0ELGwUakn4bKF56nftZLenn3NB7PYgiNQE
+52zchN0TRUP3/fdSTQ83aDi+0DZ07zxRRANNBe9i0IY
+-> piv-p256 xqSe8Q An0xez98f0vVvi2E+pwwGzKOsI4HzQE7cJN59T8yl3n0
+vvX2Yqergv0XqNOV37Qs4YUbCEGQbIF5O9NxkRpy11Q
+-> S_J0JSh-grease ]
+5Wf2tYlp7iszD54QfYkV95WGpcQ3HEeGACA3Y97NTr7uzUck4OPuKJwEwgK6pman
+AjB3lmIusWODZvwnuAL3fG/X4JEOJ2T21eBp5/Qfg/TsvHGH
+--- qjh6E4UM8Yd5zl8gOaQQJLk2AH+vDh7dCEv0ig0rO2k
+P‡]7ã\ú¨¶¿p—˜�(:'3E˜]ºšéÄRw8/²Z&Jz2I¼#“†Koç‚�¦w	™‚qyW‹-«ìÚ/iÐØ)+
Â+fÓÇSFž(Y_ý�4 ¼ŸßÍÒº?ÂjØ2l®0#