Split org-api secrets into auth password and SSH key

- Auth password uses env file format for systemd EnvironmentFile - SSH key is mounted as a file at /secrets/ssh_key in container - Fixes multi-line SSH key parsing issue in environment files - Update codex PR patch hash Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-31 20:14:35 -08:00
parent 34cacdc40d
commit 301e2a1479
4 changed files with 36 additions and 13 deletions
--- a/nixos/machines/railbird-sf.nix
+++ b/nixos/machines/railbird-sf.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, forEachUser, inputs, orgAgendaApiContainer ? null, ... }:
+{ config, lib, pkgs, forEachUser, inputs, orgAgendaApiContainer ? null, orgAgendaApiImageName ? "org-agenda-api", ... }:
 {
  imports = [
    ../configuration.nix
@@ -8,17 +8,22 @@
  networking.hostName = "railbird-sf";

  # org-agenda-api hosting with nginx + Let's Encrypt
-  age.secrets.org-api-env = {
-    file = ../secrets/org-api-passwords.age;
-    # Readable by the podman container service
+  # Separate secrets for org-agenda-api: auth password (env format) and SSH key (raw file)
+  age.secrets.org-api-auth-password = {
+    file = ../secrets/org-api-auth-password.age;
+  };
+  age.secrets.org-api-ssh-key = {
+    file = ../secrets/org-api-ssh-key.age;
+    mode = "0400";  # Restrictive permissions for SSH key
  };

  services.org-agenda-api-host = {
    enable = true;
    domain = "rbsf.tplinkdns.com";
-    containerImage = "colonelpanic-org-agenda-api";
+    containerImage = orgAgendaApiImageName;
    containerImageFile = orgAgendaApiContainer;
-    secretsFile = config.age.secrets.org-api-env.path;
+    secretsFile = config.age.secrets.org-api-auth-password.path;
+    sshKeyFile = config.age.secrets.org-api-ssh-key.path;
  };

  hardware.enableRedistributableFirmware = true;