fix: agenix secrets runtime path

README.md

@@ -18,7 +18,7 @@ EFI/BIOS boot config | Module | [Link](./modules/boot.nix) | - | - | Allows you
 Nginx recommended options | Module | [Link](./modules/nginx.nix) | - | agenix | Sets many recommended settings for nginx with a single switch plus some opinionated defaults. Also adds a switch for setting recommended security headers on each location.
 Node options | Module | [Link](./modules/node.nix) | - | - | A module that stores meta information about your nodes (hosts). Required for some other modules that operate across nodes.
 Guests (MicroVMs & Containers) | Module | [Link](./modules/guests) | zfs, node options | - | This module implements a common interface to use guest systems with microvms or nixos-containers.
-Restic hetzner storage box setup | Module | [Link](./modules/restic.nix) | - | - | This module exposes new options for restic backups that allow a simple setup of hetzner storage boxes. There's [an app](./apps/setup-hetzner-storage-boxes.nix) that you should expose on your flake to automate remote setup.
+Restic hetzner storage box setup | Module | [Link](./modules/restic.nix) | agenix, agenix-rekey | - | This module exposes new options for restic backups that allow a simple setup of hetzner storage boxes. There's [an app](./apps/setup-hetzner-storage-boxes.nix) that you should expose on your flake to automate remote setup.
 
 #### Home Manager Modules
 

apps/setup-hetzner-storage-boxes.nix

@@ -28,7 +28,10 @@
       hostCfg:
         flip map (attrValues hostCfg.config.services.restic.backups) (
           backupCfg:
-            optional backupCfg.hetznerStorageBox.enable backupCfg.hetznerStorageBox
+            optional backupCfg.hetznerStorageBox.enable (
+              backupCfg.hetznerStorageBox
+              // {sshPrivateKeyFile = hostCfg.config.age.secrets.${backupCfg.sshAgeSecret}.rekeyFile;}
+            )
         )
     )
   );

modules/restic.nix

@@ -1,4 +1,8 @@
-{lib, ...}: let
+{
+  lib,
+  config,
+  ...
+}: let
   inherit
     (lib)
     mkEnableOption
@@ -8,7 +12,7 @@
     ;
 in {
   options.services.restic.backups = mkOption {
-    type = types.attrsOf (types.submodule ({config, ...}: {
+    type = types.attrsOf (types.submodule (submod: {
       options.hetznerStorageBox = {
         enable = mkEnableOption "Automatically configure this backup to use the given hetzner storage box. Will use SFTP via SSH.";
 
@@ -35,20 +39,20 @@ in {
           '';
         };
 
-        sshPrivateKeyFile = mkOption {
+        sshAgeSecret = mkOption {
-          type = types.path;
+          type = types.str;
-          description = "The path to the ssh private key to use for uploading backups. Don't use a path from the nix store!";
+          description = "The name of the agenix secret containing the ssh private key for accesing the storage box.";
         };
       };
 
       config = let
-        subuser = "${config.hetznerStorageBox.mainUser}-sub${toString config.hetznerStorageBox.subUid}";
+        subuser = "${submod.config.hetznerStorageBox.mainUser}-sub${toString submod.config.hetznerStorageBox.subUid}";
         url = "${subuser}@${subuser}.your-storagebox.de";
       in
-        mkIf config.hetznerStorageBox.enable {
+        mkIf submod.config.hetznerStorageBox.enable {
           repository = "sftp://${url}:23/";
           extraOptions = [
-            "sftp.command='ssh -s sftp -p 23 -i ${config.hetznerStorageBox.sshPrivateKeyFile} ${url}'"
+            "sftp.command='ssh -s sftp -p 23 -i ${config.age.secrets.${submod.config.hetznerStorageBox.sshAgeSecret}.path} ${url}'"
           ];
         };
     }));