From ebc43ca609346ac907f66ad7fb62cde57c474e1f Mon Sep 17 00:00:00 2001
From: Petri Hienonen <petri.hienonen@gmail.com>
Date: Sun, 30 Nov 2025 13:09:40 +0200
Subject: Use systemd credential store for agenix

---
 hosts/kataja/default.nix        |   3 ++-
 hosts/pihlaja/default.nix       |   3 ++-
 hosts/saarni/default.nix        |   7 ++-----
 roles/shared.nix                |   4 +++-
 secrets/duckdns_login_token.age | Bin 432 -> 469 bytes
 5 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/hosts/kataja/default.nix b/hosts/kataja/default.nix
index f664cab..3eab6fe 100644
--- a/hosts/kataja/default.nix
+++ b/hosts/kataja/default.nix
@@ -103,6 +103,7 @@
   services = {
     godns = {
       enable = true;
+      loadCredential = [ "login_token:${config.age.secrets.duckdns.path}" ];
       settings = {
         domains = [
           {
@@ -110,10 +111,10 @@
             sub_domains = [ "kataja" ];
           }
         ];
+        login_token_file = "$CREDENTIALS_DIRECTORY/login_token";
         ip_interface = "eno1";
         interval = 300;
         ip_type = "IPv6";
-        login_token_file = config.age.secrets.duckdns.path;
         provider = "DuckDNS";
       };
     };
diff --git a/hosts/pihlaja/default.nix b/hosts/pihlaja/default.nix
index 8101815..4ed81c5 100644
--- a/hosts/pihlaja/default.nix
+++ b/hosts/pihlaja/default.nix
@@ -145,6 +145,7 @@
   services = {
     godns = {
       enable = true;
+      loadCredential = [ "login_token:${config.age.secrets.duckdns.path}" ];
       settings = {
         domains = [
           {
@@ -152,10 +153,10 @@
             sub_domains = [ "pihlaja" ];
           }
         ];
+        login_token_file = "$CREDENTIALS_DIRECTORY/login_token";
         ip_interface = "enp5s0";
         interval = 300;
         ip_type = "IPv6";
-        login_token_file = config.age.secrets.duckdns.path;
         provider = "DuckDNS";
       };
     };
diff --git a/hosts/saarni/default.nix b/hosts/saarni/default.nix
index 5252e6f..9b2007a 100644
--- a/hosts/saarni/default.nix
+++ b/hosts/saarni/default.nix
@@ -3,12 +3,8 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 {
-  inputs,
-  outputs,
-  lib,
   config,
   pkgs,
-  vars,
   ...
 }:
 
@@ -113,6 +109,7 @@
   services = {
     godns = {
       enable = true;
+      loadCredential = [ "login_token:${config.age.secrets.duckdns.path}" ];
       settings = {
         domains = [
           {
@@ -120,10 +117,10 @@
             sub_domains = [ "saarni" ];
           }
         ];
+        login_token_file = "$CREDENTIALS_DIRECTORY/login_token";
         ip_interface = "wlan0";
         interval = 300;
         ip_type = "IPv6";
-        login_token_file = config.age.secrets.duckdns.path;
         provider = "DuckDNS";
       };
     };
diff --git a/roles/shared.nix b/roles/shared.nix
index 47aaf6f..b156d6c 100644
--- a/roles/shared.nix
+++ b/roles/shared.nix
@@ -13,7 +13,9 @@
     identityPaths = [ "/home/petri/.ssh/id_ed25519" ];
     secrets = {
       s3fs.file = ../secrets/s3fs.age;
-      duckdns.file = ../secrets/duckdns_login_token.age;
+      duckdns = {
+        file = ../secrets/duckdns_login_token.age;
+      };
     };
   };
 
diff --git a/secrets/duckdns_login_token.age b/secrets/duckdns_login_token.age
index a290de2..3b3d3ab 100644
Binary files a/secrets/duckdns_login_token.age and b/secrets/duckdns_login_token.age differ
-- 
cgit v1.2.3-70-g09d2