From e531756e9998168d77f759602f85aefedfb717d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Sun, 15 Feb 2026 03:20:26 -0300
Subject: [PATCH 1/8] cachix: remove secret and config

---
 secrets/lelgenio-cachix.age | Bin 908 -> 0 bytes
 secrets/secrets.nix         |   1 -
 switch-with-home-cache      |   6 ------
 system/nix.nix              |   4 ----
 system/secrets.nix          |   1 -
 5 files changed, 12 deletions(-)
 delete mode 100644 secrets/lelgenio-cachix.age
 delete mode 100755 switch-with-home-cache

diff --git a/secrets/lelgenio-cachix.age b/secrets/lelgenio-cachix.age
deleted file mode 100644
index af5a25031fac3b1267d128b1c656e66b05300989..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 908
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!*`Do#{zDlf0_NaspTtnxIlEGf2h
ztMt@Qvan36D$#c~aJMY;@U+M_bS=^^)(<PTNXsb53vvl4$cgkcb`Hxi_ja?4$n?u|
zEl=U{HmvduH!JbA^!Ly3E{QPGPRenN$SMwSN_O?v_bxB>&&zez53MQ=@eMX83-iv*
za7&5MuMF_;D|d1aD{`&i3h~nquS!p}$jNmJaw#&>_SVmG3`s623JdW|&Np{Y(XU9#
zFiv$ZPVqI3aC6Qsj>rkjcPTUsj5MkWN^|$l=h83BEHJ5bFUrh!_o$4jj3`S9PALh`
z&Gm9BH*qV>w#Y3=HTE#f)6cCa2(7BH2yiv_Gd0R|*7nRQh%~cE%I0z@jtb9r)XsAD
z@=eLi4{*-U^m8)v%8DpW%y+BIDG$^42-Hu~Huee(G)VEOOfRe`_Rp-y^35>FHurP1
z@G0W5bc}L|F!d<$^evBaFZMAE%S+D;3(2!^Ha4ls)lUzuD9SMov&;<5EB6j7GD&iG
zO)E61(DyM6^)<|?aLrHUsw&O#_Re)O3-TxnbgPI=P73!jN{#d?@Ha8{$u6i0^$c+F
zFE2K%Dhc)QGd8FyN+~qREspffEwS)5&ki<E<1+Abb}Mj?D0S9$&580X3<`Jm3oa{-
ztjKfquryB#GWL%$&nWYBEh<hePW36S3~_Uf$}kU$NGU5Z_BHh?vETwF4SSDbC7oP#
z-Snc=#Nt#1ZH3qh#Ugv(EH$na$8hbeQm3E{mnsv#aCc9mP;XNcv+%U2$coUUvVh>K
z-~u1RQ0K^0eUFk1&+sxgrvO)@^fHS|gUlSyq6!l(Q<JhX&x&#`U0q!TAD3dwVArzz
zLMK;k|6J{GOMer;3QOOJ)YO8cyiB7Um*7h6^zyWd0t*u^wz4}N8xQga2nwp27~Whr
zZ})x?{=)o4d?!zZ9rB&Jp0%#2=fdLk<(mFg-y9Z}S#lL6UYO#zf8p;|)$K18f8M)s
z%#?Yba`4>ab{d}-Mrn9dH)n}z7un5SSmu9Q=+L|~f0SM>?Y;crTKAbxVwKf7aq|D_
z_ni10`F~HP@DrZ@b40v1)YoO-7kqT(9begJFQJehlI52E|C0Y7y>9Z<<()yAq2kxd
o`@3fsycRK%jBU7UTUp2;`dM`O>2tHUAG>ZTyV$7uqD_S<0BCqkHvj+t

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6504054..3758621 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -7,7 +7,6 @@ in
   ];
   "gitlab-runner-thoreb-telemetria-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
   "monolith-forgejo-runner-token.age".publicKeys = [ main_ssh_public_key ];
-  "lelgenio-cachix.age".publicKeys = [ main_ssh_public_key ];
   "monolith-nix-serve-privkey.age".publicKeys = [ main_ssh_public_key ];
   "factorio-settings.age".publicKeys = [ main_ssh_public_key ];
   "phantom-nextcloud.age".publicKeys = [ main_ssh_public_key ];
diff --git a/switch-with-home-cache b/switch-with-home-cache
deleted file mode 100755
index cff021a..0000000
--- a/switch-with-home-cache
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-
-./switch \
-    --option extra-substituters "http://nixcache.lelgenio.1337.cx:5000" \
-    --option extra-trusted-public-keys "nixcache.lelgenio.1337.cx:HZCwDaM39BOF+MLuviMQTUrz3rBWLTLV9H+GV4zcxVI=" \
-    "$@"
diff --git a/system/nix.nix b/system/nix.nix
index 482bb93..7ab2e28 100644
--- a/system/nix.nix
+++ b/system/nix.nix
@@ -29,16 +29,12 @@ in
       substituters = [
         "https://cache.nixos.org"
         "https://nix-community.cachix.org"
-        # "http://nixcache.lelgenio.1337.cx:5000"
-        "https://lelgenio.cachix.org"
         "https://wegank.cachix.org"
         "https://snowflakeos.cachix.org/"
       ];
       trusted-public-keys = [
         "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
         "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        # "nixcache.lelgenio.1337.cx:zxCfx7S658llDgAUG0JVyNrlAdFVvPniSdDOkvfTPS8="
-        "lelgenio.cachix.org-1:W8tMlmDFLU/V+6DlChXjekxoHZpjgVHZpmusC4cueBc="
         "wegank.cachix.org-1:xHignps7GtkPP/gYK5LvA/6UFyz98+sgaxBSy7qK0Vs="
         "snowflakeos.cachix.org-1:gXb32BL86r9bw1kBiw9AJuIkqN49xBvPd1ZW8YlqO70="
       ];
diff --git a/system/secrets.nix b/system/secrets.nix
index 588dfe4..b7a484d 100644
--- a/system/secrets.nix
+++ b/system/secrets.nix
@@ -2,7 +2,6 @@
 {
   age = {
     identityPaths = [ "/root/.ssh/id_rsa" ];
-    secrets.lelgenio-cachix.file = ../secrets/lelgenio-cachix.age;
     secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.file = ../secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
     secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.file = ../secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age;
     secrets.monolith-forgejo-runner-token.file = ../secrets/monolith-forgejo-runner-token.age;

From 8475e3ecb64b845447b65652056769f45b8ed89b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Sun, 15 Feb 2026 03:25:24 -0300
Subject: [PATCH 2/8] secrets: move forgejo mail secret to sops

---
 hosts/phantom/forgejo.nix                   |   5 ++---
 secrets/phantom-forgejo-mailer-password.age | Bin 678 -> 0 bytes
 secrets/phantom/default.yaml                |  12 +++++-------
 secrets/secrets.nix                         |   1 -
 system/secrets.nix                          |   1 -
 5 files changed, 7 insertions(+), 12 deletions(-)
 delete mode 100644 secrets/phantom-forgejo-mailer-password.age

diff --git a/hosts/phantom/forgejo.nix b/hosts/phantom/forgejo.nix
index dbb63d3..c7a224b 100644
--- a/hosts/phantom/forgejo.nix
+++ b/hosts/phantom/forgejo.nix
@@ -42,11 +42,10 @@ in
         USER = "noreply@git.lelgenio.com";
       };
     };
-    mailerPasswordFile = config.age.secrets.phantom-forgejo-mailer-password.path;
+    secrets.mailer.PASSWD = config.sops.secrets."forgejo/smtp_password".path;
   };
 
-  age.secrets.phantom-forgejo-mailer-password = {
-    file = ../../secrets/phantom-forgejo-mailer-password.age;
+  sops.secrets."forgejo/smtp_password" = {
     mode = "400";
     owner = "forgejo";
   };
diff --git a/secrets/phantom-forgejo-mailer-password.age b/secrets/phantom-forgejo-mailer-password.age
deleted file mode 100644
index 90fbe735e74103886baaf56a7bef66d16e8233ab..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 678
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!*`Do#{zDlf0_Nau2MH1kaM@bJw@
z)VDDAur#W2_VCJd3(_|UDlsw-4U901a<oh{F)%YRtT4_sDl693jxtX&3yg@$^mEBK
z_X*<)_X^2OGBq@I$}!Ka%J&U1PmVPAb*zevC=96ZD9sMcHqJ8&^mfutH!e@p&MOY|
zFDvm+j>?ZnDN0JO^zy0TN)5CuHcStwu=MiI%+RikbW6#~@N|jtFb+s@)6OW)$_Vo`
zt+4d3aL$QxiS)>c@HES}wA9Z}^>Po-bu16d;fe~$GssB_H}S}EDRDOOF7x$BjkGMv
zcCJkH4Nh@R4{>vka4R)SNvkOJjIyZ8cCs)u@Cm92N-;?C3y*O3N#Y9iGpO=1j0iEQ
z$}G$b2`)4>F)DM;%5<r4HV^a2NjLZLFAL0YHS<r>w@7mf4KyxuD)KH1NlWrGHTDYf
z%gyFW@(N2zEe#LJjB=^)Pc1SIcghWL4$Zglj!dnnFiy_Q^zpCA3^XY*&rb>W^EEf|
zjqnU9a5eA_sBkawE-EnPvh?@NPjpKyH%Kz{3Aao(cD2kfa(DKw$TTSR)z|kl_Hywl
zFDP^~4)HZE3XdocOp2<gDoqOT_4JE!2{ExO;3^NwvkVCH^GFRz^oa^D*7q*XvdD4s
zE6j9pEAb3;Pbm!u(+|$~^fNN7F!Br5c8)ADD-JYFD#%KzFn20WH{jyZ)zww-G%2wR
zPfc@lFHi9)tul1hPEIK;^GT}o&os>m_D#+y3<^)PFfH&2HFV|LcK#-FG{c_<a*8~2
zRo6V59y*0x&2)-Z!lU-4m05WQm3dx-?r)jEvg}Om!51B7+PyP&NapEgC*FE4l~K=i
M=kF_3{w+c20L4S)*Z=?k

diff --git a/secrets/phantom/default.yaml b/secrets/phantom/default.yaml
index 962c6ba..aa133a2 100644
--- a/secrets/phantom/default.yaml
+++ b/secrets/phantom/default.yaml
@@ -8,11 +8,9 @@ example_number: ENC[AES256_GCM,data:R+/m/QVBH9/3DA==,iv:FumBUj97ICrRQmyh5fg8Gu9L
 example_booleans:
     - ENC[AES256_GCM,data:VvI5ag==,iv:koMzyWcua75sK19vuk65oywCD61lMyH3xUwue8LTqy4=,tag:2ym1M0FTwevLm7wefTUWAw==,type:bool]
     - ENC[AES256_GCM,data:lFEC/S8=,iv:cJWbnmseP/AqJzyORM+VI5y7rK8axVeh7EXoLP7mT/Q=,tag:BaS5HyecokdLCq+LzQxGkg==,type:bool]
+forgejo:
+    smtp_password: ENC[AES256_GCM,data:g/Uqmtp8A9pas5WcslwnGCKSXv7dYSRMA8wKm7DWpvssVRZJ,iv:vNBqdTlZ5mg0AhjMNr8rUts1rDBYmq03tdiceVN3xjs=,tag:M3qfiZEWvJN/XUjjmnAXqA==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
           enc: |
@@ -32,8 +30,8 @@ sops:
             RU1HSUhldHpzeURaUWQvcjBCQ3pMY2cKYL87Njs4e68zu5AXKNF/hxiB3HduS8wz
             o0kmGI58DZx17+Cdipw0ab9a9wiu9C9Fn+LaiCcdM/ESXtS79RzdbQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-05T22:27:18Z"
-    mac: ENC[AES256_GCM,data:WSopSnWZ+uOllywd7difaZtJcfxkL7eIf9Kr3GajZKO0+rP6pEHIS+5AbXZy6oKRlCLUPecY/WXFvk3//akpvvXHbf6Jp4fQ/YSuTcYKRQupbDBpOXSlc33QyRl6oEyiMOjxMxa2N2tmq8dmA0NbF9wSDMa5a4eNDoiL5T/sUZ8=,iv:QqbVRApzFF6q24rk8KfKuthj656nEczD9Si4INj+N9A=,tag:tMRNYo+u/jIQ6iX3KqKJdA==,type:str]
+    lastmodified: "2026-02-15T06:20:05Z"
+    mac: ENC[AES256_GCM,data:3S52Sd3qaqHWy5TL8MAq9yOpH7ZYMDUHprJH3JtW1Vs2rNJIm9li7x3RT0mRnct4NYgikyFi9PBghDJsDN/QKxxKfEDm6KWET+okL41/h/KnzJRFqHoG8sxZYnr4NWc1R60A6WdD+xIa6njCwCNLP4hDjHeQuLjhDsvhqSG4dO8=,iv:xsqZB0GaFYN7QhP24Ik602JoBjVnPGEtgKRbIp9a7Pc=,tag:ZfrKyzRn2bd9lY1bvFjZrQ==,type:str]
     pgp:
         - created_at: "2025-03-07T22:49:19Z"
           enc: |-
@@ -51,4 +49,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
     unencrypted_suffix: _unencrypted
-    version: 3.9.4-unstable
+    version: 3.11.0
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3758621..ad44b22 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -12,7 +12,6 @@ in
   "phantom-nextcloud.age".publicKeys = [ main_ssh_public_key ];
   "phantom-writefreely.age".publicKeys = [ main_ssh_public_key ];
   "phantom-renawiki.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-forgejo-mailer-password.age".publicKeys = [ main_ssh_public_key ];
   "phantom-mastodon-mailer-password.age".publicKeys = [ main_ssh_public_key ];
   "phantom-invidious-settings.age".publicKeys = [ main_ssh_public_key ];
 }
diff --git a/system/secrets.nix b/system/secrets.nix
index b7a484d..18547ae 100644
--- a/system/secrets.nix
+++ b/system/secrets.nix
@@ -6,6 +6,5 @@
     secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.file = ../secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age;
     secrets.monolith-forgejo-runner-token.file = ../secrets/monolith-forgejo-runner-token.age;
     secrets.monolith-nix-serve-privkey.file = ../secrets/monolith-nix-serve-privkey.age;
-    secrets.phantom-forgejo-mailer-password.file = ../secrets/phantom-forgejo-mailer-password.age;
   };
 }

From 48e40c47e43387062d5cc9fb9d1b109f831c8182 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Sun, 15 Feb 2026 03:26:54 -0300
Subject: [PATCH 3/8] agenix: remove old secrets

---
 ...-thoreb-telemetria-registrationConfigFile.age | 16 ----------------
 ...-thoreb-itinerario-registrationConfigFile.age | 13 -------------
 secrets/secrets.nix                              |  4 ----
 system/secrets.nix                               |  2 --
 4 files changed, 35 deletions(-)
 delete mode 100644 secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age
 delete mode 100644 secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age

diff --git a/secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age b/secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age
deleted file mode 100644
index 1d7d3ff..0000000
--- a/secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age
+++ /dev/null
@@ -1,16 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-KuJIQzvERsM1zAF4iikbaIMsi4e/vnyx1yq6h9Mzxf6FnXyFRcUgLPVe05krQhJX
-0wjv18bI0jxRb8742Ww9i2nU5Tlrok9ol458iye5CPl63fAlVih4/Rkl3IkUIiIz
-q/VayGVaIHmpRD2xiEa4L+NXS9N69vVXoubX0oZrB0nPdYJ83gFU9u+CBqqG2EWr
-PBjyIvT5i5MDBnPZGOudadIoyeWGfjXEPsQWhQhL9ssi5QOzLXBnTDlxT53bNvHX
-2yOFprLDZ+ZONedkxy8OXZpPDYNcgPAIHiqx1E87ftqPIucdeU49AqlPh46wrPC3
-79E2hgSoPvn4poTlJtAD0tIADRGkcEV6wLCylN2lTOUJenUfhLNQ7ok4ITx8MOv3
-IkbWiD9yTMExVBlhc+us+XfBHM8mlWs/zu+18YTy21RM03gzY6lHVZCQPxay2Rof
-A505SeZ4Tyhoy0+oLaYv9b+7DJdlhUo/XMaKSibtgJ/2MCtRqmV5ZsnuUIWn1Qsc
-
--> Vg-grease `tLg-(2z
-4EPuRnZmXpoB32r/0GCtskU3HU3h5ic
---- QmKr+zAXnMpWBBBqNm2u954fOu2Zt8Y/kPPdq4UHgZc
-¤ì{çu|õæu´Ó€]OmXÝP3µÆ²•4_±½Â_
-q4›Ð6mþm©<‚pLH+d.hî‹’C<RDµ‘qOø}öô3ÁZ¤KJ¤DÉàj]ÈýÒ¯Ùìá‚ØûCROË¥F;>‡
\ No newline at end of file
diff --git a/secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age b/secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
deleted file mode 100644
index 60c5c70..0000000
--- a/secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
+++ /dev/null
@@ -1,13 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-YvABDqm9pSLhyLaKLDStuDisPJnaDpHnpTdTU4/xWgD3F4g2WkMymilhabqM+R5S
-hqcSVDxYE2mpPDPIDIMPRlZyw5EBKS6zQYFr7u3fdSMzzhL6pBLUvFtfq40Y3o6C
-LkkkYyWnJisWuTYeBY95H+fbDhqOylbjHP1fhRVwXO85pa4CcRMAWU2pKOIZRb3T
-IuQyE3LOT/vts56q0mgdItJK0gX0NJzXxi+8YdXb2VU5ny6IOBzDL4jUHhi4nfpS
-AmzEZE3ezq4Nxg+txMDQ6ZO+JUhqjCS4XDf5b2Lq6fDenVhFaNYf4HK/fMZHKhKE
-Ac+K5U3CKB7B2Ur+sEdB7AYWOc346bvxZhP16nwCI0ocaquo6WzEa6XA7zfRVC86
-wlTIUVdYKW3e/4AIHFnSXhFNss52kkhOjxcdQpdBb5RgSc/gWel7XFJ3bV17bCmV
-ccCYejBvW+Arpgr9Tl3UfyEbRbGTe7Jbxydsrx5h7gcXOuBYE3x8RGhegiL28wVl
-
---- E11l59lvUhPNzXAYTgVUIIUCgJsEsSDMdnLV6r+qSiA
-¥Ë‹-&I:Ú¹Sa°_àÝzt•ø¨J!H¤¹'ëC`'uÜ@sØÙ'”:†èì÷ãÎ¶~Ò[0š×ïnÝY-uôF¦eÜ‹ê‹Çü`xÓ7‚öªíßDÆãÉþ0/Ã—%V½«Þ‘îUˆ
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index ad44b22..4793a21 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -2,10 +2,6 @@ let
   main_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15";
 in
 {
-  "monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age".publicKeys = [
-    main_ssh_public_key
-  ];
-  "gitlab-runner-thoreb-telemetria-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
   "monolith-forgejo-runner-token.age".publicKeys = [ main_ssh_public_key ];
   "monolith-nix-serve-privkey.age".publicKeys = [ main_ssh_public_key ];
   "factorio-settings.age".publicKeys = [ main_ssh_public_key ];
diff --git a/system/secrets.nix b/system/secrets.nix
index 18547ae..1e738a5 100644
--- a/system/secrets.nix
+++ b/system/secrets.nix
@@ -2,8 +2,6 @@
 {
   age = {
     identityPaths = [ "/root/.ssh/id_rsa" ];
-    secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.file = ../secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
-    secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.file = ../secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age;
     secrets.monolith-forgejo-runner-token.file = ../secrets/monolith-forgejo-runner-token.age;
     secrets.monolith-nix-serve-privkey.file = ../secrets/monolith-nix-serve-privkey.age;
   };

From ed510001fdcf2853c36f67d8d6af6480abb6ec1e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Sun, 15 Feb 2026 03:29:38 -0300
Subject: [PATCH 4/8] secrets: migrate forgejo runner to sops

---
 secrets/monolith-forgejo-runner-token.age | Bin 688 -> 0 bytes
 secrets/secrets.nix                       |   1 -
 system/monolith-forgejo-runner.nix        |   2 +-
 system/secrets.nix                        |   1 -
 4 files changed, 1 insertion(+), 3 deletions(-)
 delete mode 100644 secrets/monolith-forgejo-runner-token.age

diff --git a/secrets/monolith-forgejo-runner-token.age b/secrets/monolith-forgejo-runner-token.age
deleted file mode 100644
index fff63ca77be3834049d16ab0bbac97efd8e6b8a8..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 688
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!*`Do#{zDlf0_NaxCM(=G@#aZmCI
z&Cm9;47W@xHwudg3^0puv-C7H4yy{aaPiGFPxAM3ipmLzDs?u_F?S9r$SSt9$ae|z
zGSBBqbkcTBsc;N(bO{d5%5zH9cXrKj&-8T5Gj%t0^bRl#E%0`AjwsSMDvxq@FY)tC
zOEWajGOuzeD=RWd@~EidDoM{U4=A*V3dnPE4YY7i_l!(04GHxO^)U7}E6&l+HP+6p
zG&VByH8M312}n<O4bKZna`Ezu3U~6*_bR9?<#KWgORjWJak2Cb@~$Wg@(p(iaSBV!
zNhxp*PRY&p4=zjeOn3JSGWBvRj0`Eyh|0(<%kvEI&Ty?V$@g|L@Z-u&PRxlg$|y9;
zw=B(%D0j~?&Mk8@waoM>N_S87&NhxRi8MD%%PB7?_b;~8PcP4NG4?S|cFZphHVR7(
z*EZyGG>mljx2*Cs)ea1ZN;3`4bILSzD^CwiDNf1@at?De&b0J2$n$Z^&h*a7b<fN(
z3(2SqjEvMScg%?N^$G~!^6{(m2n_KuGYk$lbj=KQPc1eKaLIMm_Rb73O>&HKOAJT~
zPOgYFj|?r%cJxa!^DC?{3o~%9D)#oP^zime;z|niD#-Q=sI<&W%5rxJC@#yZ@G1#0
zF3oeTtnkn_2r`e-4yi2iOe>6ZDacAoEHTgy*LSMW*3ZasEKA9C&EVqF)zwun$TyFu
zD$n+HEH0{Ys)%%U4amvJs&o&`%S=o433N0p4|9t0)-N><sIuT<WMq|P_|<$~<y-_)
zh|NcaSJOSCUN{A7<Z4TX+*a8q+AGFaEpsRN=mg7S$5YqvrTx)&t-Hfl&p%P_!iGOT
WW?$UNwj}P13;zzjI*lH|0#N`m2It`b

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 4793a21..b361438 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -2,7 +2,6 @@ let
   main_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15";
 in
 {
-  "monolith-forgejo-runner-token.age".publicKeys = [ main_ssh_public_key ];
   "monolith-nix-serve-privkey.age".publicKeys = [ main_ssh_public_key ];
   "factorio-settings.age".publicKeys = [ main_ssh_public_key ];
   "phantom-nextcloud.age".publicKeys = [ main_ssh_public_key ];
diff --git a/system/monolith-forgejo-runner.nix b/system/monolith-forgejo-runner.nix
index 3297514..345f861 100644
--- a/system/monolith-forgejo-runner.nix
+++ b/system/monolith-forgejo-runner.nix
@@ -6,7 +6,7 @@
       enable = true;
       name = "monolith";
       url = "https://git.lelgenio.com";
-      tokenFile = config.age.secrets.monolith-forgejo-runner-token.path;
+      tokenFile = config.sops.secrets."forgejo-runners/git.lelgenio.com-default".path;
       labels = [
         # provide a debian base with nodejs for actions
         "debian-latest:docker://node:18-bullseye"
diff --git a/system/secrets.nix b/system/secrets.nix
index 1e738a5..acf4281 100644
--- a/system/secrets.nix
+++ b/system/secrets.nix
@@ -2,7 +2,6 @@
 {
   age = {
     identityPaths = [ "/root/.ssh/id_rsa" ];
-    secrets.monolith-forgejo-runner-token.file = ../secrets/monolith-forgejo-runner-token.age;
     secrets.monolith-nix-serve-privkey.file = ../secrets/monolith-nix-serve-privkey.age;
   };
 }

From 03e222010524af6bd55933e3ac9dae853ffb2e61 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Sun, 15 Feb 2026 03:32:22 -0300
Subject: [PATCH 5/8] nix-serve: move secret to sops

---
 secrets/monolith-nix-serve-privkey.age | Bin 839 -> 0 bytes
 secrets/monolith/default.yaml          |   6 ++++--
 secrets/secrets.nix                    |   1 -
 system/nix-serve.nix                   |   2 +-
 system/secrets.nix                     |   1 -
 5 files changed, 5 insertions(+), 5 deletions(-)
 delete mode 100644 secrets/monolith-nix-serve-privkey.age

diff --git a/secrets/monolith-nix-serve-privkey.age b/secrets/monolith-nix-serve-privkey.age
deleted file mode 100644
index 843b433a17ac22f123776655e7c58497c91c8879..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 839
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!*`Do#{zDlf0_NaqR<b2fCWO7lt2
z$gXfHOHV7#DK<$mNJ)t-@-WEo*H0-iGR}+etBeRN_0+B?^$IO4D|Pnr%E-%gO$~7`
zu{7rjN{T4U4RdjGE;5hsNGS=-32-Yf$u+Wc4fD<P@$}9t39Cx>O>(V_%q$HL$;iua
zH_33!4KT?!sVFfHjk56JiY&@<&r45rGAb=Gs_@LO^fpO#b<;O2%JOhdP0Xw)@$`ud
z4o%DVPj<@9Eptw-GA}Z7DlFE{aV+vI_VKB5;_@v@H8VBMiVW4SwD78ma4a&&a@O|^
z2+Ybz%}6TAv9v4+NzX6IDG5pPFLaE|@vEvRFLbYp$VvA%a&^ql%;n0CDhw%0HFgcH
z2r^2{PW3TPbt*}UC~?y^FD_0p4RQ`Is&Fzk_sdMmu8a&x_H)fnEerK1HmUG%voy}C
zstDk+NOdZ;%yo|RHp>e)Db@Eb4YY7}PAo1?&x<Haa!si!a1GM-v&c(N(+`WNF!uE~
zFfT36PK)q2^sTZ;OpOfY$~8*1FgGm^%E-?vPVr63iO30a@l7{Pb<?kOEcCMoEcSCL
zFHMYytO)TkwD2v6s`5zBDh(+1EzUD6_SZJm=h83D_4F?G@D0q)Hg@x?j4&%qDe+74
z&(6*&P0dKki7=_ka`VY^EcGz)_Q<WWEH6qj^fFC!3kWU=HmOX{3*Z7JjhKkwnvCF(
zNZs_J)WqUcg`~hx-$?Bmg_=^X(mXex%(6W9yePAjl2l(WV^@E3=j`mr@KB#bU+=W2
zBFCU|^APu<03XBhNHeFz0MlR#E?r$+g_J7O3=9AK(qIpZvQ+Ir_fqXrPuH|UZO1al
zQa4Y-Dqjzi!UBuX2seX3u5PhD!&grgTy`E!d$fD${R92;jy4ESva~FbYWBRlDPd-v
zct-I48wZb1t$%ej*heYX=*kz1Cr912rP=B#r}7wYHT%!*@ndrOip1DkE9@>c%u;_6
zE$Pts!A<}2i@&>E)-$;KugL$l^w|GTsavX-<eeAa?dxx`BjTU!p_zL1H-b6u7jw*3
U>_0oPk+brP(i6{vjhi*=08T$NY5)KL

diff --git a/secrets/monolith/default.yaml b/secrets/monolith/default.yaml
index 6b3c1ff..61f00ce 100644
--- a/secrets/monolith/default.yaml
+++ b/secrets/monolith/default.yaml
@@ -13,6 +13,8 @@ nebula-wopus-vpn:
     monolith-key: ENC[AES256_GCM,data:Y8KVQk66dewyeRIF+6HJeufD9EYO55m73LxrtZi4KQU0RbUpsV0eiRMX62rYtw6+uP87f5Tx6kC3fX4+mqNb2ZgDtVvm3/Qnz5Ly112c/h33krNqRpv6pEHRkrS9j01tLkJnxwiyIvq3b03GTAIoCKWgqaaagCXYHArgzRrDIw==,iv:lp3zuD8XWaiJvyxzXHrgpF4qbrCv/uf9l9qyWXVrkkM=,tag:eSlTCa2TrIuga7UUxoloBQ==,type:str]
 minio:
     root-credentials: ENC[AES256_GCM,data:izDiis6BgAubbe91EUcuwMKrSrYEDQFQbaEGzpdjj3Wlt8Z8gzgvGmYCryAK8GBUMbzQvy0do26xMGMl3LxLWz9bgixixPVFTTg5GhfUJw==,iv:hkrkGz+EpVwkWEMQWBrm2u4Jti7azsDtsTmyouDREug=,tag:mDnOKKBwgKOmsxegKcRhpQ==,type:str]
+nix-serve:
+    private-key: ENC[AES256_GCM,data:xSHNHiLKs5QG92cSR0gNlusRhGjRUcelSvBt/f3+LdLjTtPaYMmiEiUsl43FyaigGkGq4nGDWAgPVJ+bFNpman0F4KwYqoSp5zH07IC9KaXouvudRLMZc8MkpwKKptKebKDlxKfsLt44n3qnV7OPYzSgzA==,iv:yUM/4yCIJqTt04HyXBVe+EMN4NnFkVnVhsUvUlKv2QM=,tag:qAr0UIjWzXH1eEzGCrK5Vg==,type:str]
 sops:
     age:
         - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
@@ -33,8 +35,8 @@ sops:
             aFVxcDFhaGdYekRWRVFIWnRsZndtZFkKgsvxOFHOcO306Z9FkucA1fDOpZA8N1/h
             jYmIgcKTFgWoSCvux67lK30jFsYp7sm5z6WxxDYsGcoQ/+pxoUX2jQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-27T15:58:01Z"
-    mac: ENC[AES256_GCM,data:8JemHyxdcDjkg++kgBAGpvGZAyGnQhcAOzs58D8EqjJzTWWf4HgF3uD8od5EGu5i1f7IzUBNio57H/0DC7fWZk/vIRM/Xn7DREuXClBGmBsc32H+K0tOKg8hMb11PDGqviw0qj0qwl1Gs0+j8C4OY9qLupTDzsECUgRXBtsD4cU=,iv:vOV25BV/C3hK/D4bKb26Xi0PaiSlJ5t9bN18ZJQnCRs=,tag:1AZyn4Zj1/e/2dhNzcfPqg==,type:str]
+    lastmodified: "2026-02-15T06:31:14Z"
+    mac: ENC[AES256_GCM,data:FPf6xhBN/D0zfeMcpcT1u+94oWpO6XApn11CtiA36MmPMaD/8kIpT7WxX2uV9OVnAfE1ab4vhaIPflLNt+iIOVJRxT0d2kjGqnWrJlRsu0C7gandbUjx/QnDobb82V0KFZ/E5wgZEdd2bl33l+BWdMHeUj32yFzSyP5d98GloJE=,iv:uQ9F4b2OGF+dGp7B7tl+qXB16cGdCLeTw7vQ2h2JjWc=,tag:UpCKj7CaRI5MralcT4oJQw==,type:str]
     pgp:
         - created_at: "2025-03-07T22:49:16Z"
           enc: |-
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index b361438..3d6a466 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -2,7 +2,6 @@ let
   main_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15";
 in
 {
-  "monolith-nix-serve-privkey.age".publicKeys = [ main_ssh_public_key ];
   "factorio-settings.age".publicKeys = [ main_ssh_public_key ];
   "phantom-nextcloud.age".publicKeys = [ main_ssh_public_key ];
   "phantom-writefreely.age".publicKeys = [ main_ssh_public_key ];
diff --git a/system/nix-serve.nix b/system/nix-serve.nix
index 6cc7161..7cd7377 100644
--- a/system/nix-serve.nix
+++ b/system/nix-serve.nix
@@ -7,6 +7,6 @@
 {
   services.nix-serve = {
     enable = true;
-    secretKeyFile = config.age.secrets.monolith-nix-serve-privkey.path;
+    secretKeyFile = config.sops.secrets."nix-serve/private-key".path;
   };
 }
diff --git a/system/secrets.nix b/system/secrets.nix
index acf4281..1e5d68d 100644
--- a/system/secrets.nix
+++ b/system/secrets.nix
@@ -2,6 +2,5 @@
 {
   age = {
     identityPaths = [ "/root/.ssh/id_rsa" ];
-    secrets.monolith-nix-serve-privkey.file = ../secrets/monolith-nix-serve-privkey.age;
   };
 }

From 5f57fb269a81673db78961005539a9d21b46675d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Sun, 15 Feb 2026 03:41:31 -0300
Subject: [PATCH 6/8] factorio: move secret to sops

---
 hosts/monolith/default.nix         |   2 ++
 hosts/monolith/factorio-server.nix |   5 ++---
 secrets/factorio-settings.age      | Bin 847 -> 0 bytes
 secrets/monolith/default.yaml      |   6 ++++--
 secrets/secrets.nix                |   1 -
 system/monolith-forgejo-runner.nix |   2 ++
 system/nix-serve.nix               |   2 ++
 7 files changed, 12 insertions(+), 6 deletions(-)
 delete mode 100644 secrets/factorio-settings.age

diff --git a/hosts/monolith/default.nix b/hosts/monolith/default.nix
index bf0e98e..0ce3b79 100644
--- a/hosts/monolith/default.nix
+++ b/hosts/monolith/default.nix
@@ -43,6 +43,8 @@ in
     package = pkgs.unstable.opentabletdriver;
   };
 
+  sops.defaultSopsFile = lib.mkForce ../../secrets/monolith/default.yaml;
+
   my.gaming.enable = true;
   my.nix-ld.enable = true;
 
diff --git a/hosts/monolith/factorio-server.nix b/hosts/monolith/factorio-server.nix
index debbc1e..0db1e3a 100644
--- a/hosts/monolith/factorio-server.nix
+++ b/hosts/monolith/factorio-server.nix
@@ -12,7 +12,7 @@
     lan = true;
     openFirewall = true;
     admins = [ "lelgenio" ];
-    extraSettingsFile = config.age.secrets.factorio-settings.path;
+    extraSettingsFile = config.sops.secrets."factorio/server-config.json".path;
   };
 
   systemd.services.factorio = {
@@ -43,8 +43,7 @@
     wantedBy = [ "timers.target" ];
   };
 
-  age.secrets.factorio-settings = {
-    file = ../../secrets/factorio-settings.age;
+  sops.secrets."factorio/server-config.json" = {
     mode = "777";
   };
 }
diff --git a/secrets/factorio-settings.age b/secrets/factorio-settings.age
deleted file mode 100644
index 77eb8bddbb17ce598bbd018de5232c281bc213e4..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 847
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!*`Do#{zDlf0_NaqSEF>&$JcCGNy
z&n$2X3P?#TaH<N*&(13|DJsk~G|RWB@~JZSEO4tdi7+cH$u9HH_43Nj^DYi9C@FO-
z&QIkk2raZQtSZfpO!G?(bqlD<&4|o2O$znW&+tk%i3s)yPc<@0&kaj)sVMOeGL3Xh
z%<(BGtt_wf3i5TzchfiLGA|CU%F7NlNzAKED)#qJ@o~#B*AA&l%JtVTbxHFw&-Kgp
zNOjB2C=05H@-NHCO9`(uG4V6BaLp|WGpca*=c+2pFwhP!Opfq1uq+BFED3TkbE?YC
zb~JYOGDtEh$O?B2NHfUt@zE|d$nnd|@(uQKN)PkMGc+m7$~G;^_u?vaiYO}5PjN}~
z^sOxQjqtM!vnVi#D9S63D)%<X$~7pphzJM|G79!ibFZp$HOi_;)Q-w1G;uO8sIYJ?
zG*0A7%nd8eDo)NYNDQk=cFXjuG%ZLk369G02+y$$DK^Th@Jcsu(a$aP%nUBgcgoH%
z4NeSk$}7+>v&_x14AR!;GS5lX&&YHSb@UDjFD(nJbT4<!&dBtx@Qn=94os>rFs-Qc
zHFe4e&eYCKb20Xf^7J*!FR#=tOtVM~wlEJU<1+QNFf?>_O)f6?Eceed@=Pl%$%^nu
zNzeAvcQG(`b*ZY12uvxdFfTB0^3e7U$ck{*Hcu-EDNe0O_l*jQu;k*>)zww7^zigc
zcC7T$cTF@*cJy{BD)I7-Fe&p5@pIEpstgMB%<u~=4y#BHGdAJc@`uND*^XtoR#u<c
zBNmCvW|jP1*^%&`PvP5pmyd=aH=Z#|_}ECEXn&G%_I=O0(Caz87e6b#emG-Zmhsa<
zhp)fSNzC1}p3SN&F)*q0M3Lr=KkKiyz4c4JaIG&^Ykf^>&n*71%&$Rn^tA#L&$4QB
zy@}&2VLov>){?RLtkr#Ufk$lnK8sIc6V1M{wPuU!T7Hj;EQXI6`}bL={+TJ3XQ#=P
z?R#&@*Py@LvCa9NYlAn`efAQT-eux>d;<e}@TDIdud`fqzDnKbZoOu7<qgNicjs4`
jyFHm6&%5aV^A#6;pB!19a!|u%{*L8~3+8qB9V-I>V!}e-

diff --git a/secrets/monolith/default.yaml b/secrets/monolith/default.yaml
index 61f00ce..afa1c8f 100644
--- a/secrets/monolith/default.yaml
+++ b/secrets/monolith/default.yaml
@@ -15,6 +15,8 @@ minio:
     root-credentials: ENC[AES256_GCM,data:izDiis6BgAubbe91EUcuwMKrSrYEDQFQbaEGzpdjj3Wlt8Z8gzgvGmYCryAK8GBUMbzQvy0do26xMGMl3LxLWz9bgixixPVFTTg5GhfUJw==,iv:hkrkGz+EpVwkWEMQWBrm2u4Jti7azsDtsTmyouDREug=,tag:mDnOKKBwgKOmsxegKcRhpQ==,type:str]
 nix-serve:
     private-key: ENC[AES256_GCM,data:xSHNHiLKs5QG92cSR0gNlusRhGjRUcelSvBt/f3+LdLjTtPaYMmiEiUsl43FyaigGkGq4nGDWAgPVJ+bFNpman0F4KwYqoSp5zH07IC9KaXouvudRLMZc8MkpwKKptKebKDlxKfsLt44n3qnV7OPYzSgzA==,iv:yUM/4yCIJqTt04HyXBVe+EMN4NnFkVnVhsUvUlKv2QM=,tag:qAr0UIjWzXH1eEzGCrK5Vg==,type:str]
+factorio:
+    server-config.json: ENC[AES256_GCM,data:qpLNcNjKrlH5IjGsq7ukCPR7G5dfOfN9joM2KZUdKZetZ/mA8ikBSbuBtRxwBQUSB6PcFxDftus704vlOkLcDcc4PT9rnpEiedLng9NkJPZZo2exfozut3N7dhij28c6Jy2uvad1pzAfW78iHI0kJNkDQDD2oW9xoFAZrPDRh5oNLpNn1/iIFoIflyYFctUbcpsDvs+8xHGGM5PQQo0QnZcxfSPY2iT4At1i5WP/Uedonvlw9fNcoOtzP7BhOECuMWUC5W2v2hP2/vcp7M8=,iv:Ln+/4AudJfdJYdkq0xLVF8dyrObzLwhANpTo3WgjUF4=,tag:Rgw4/J016Geiv6FwF5ZaMQ==,type:str]
 sops:
     age:
         - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
@@ -35,8 +37,8 @@ sops:
             aFVxcDFhaGdYekRWRVFIWnRsZndtZFkKgsvxOFHOcO306Z9FkucA1fDOpZA8N1/h
             jYmIgcKTFgWoSCvux67lK30jFsYp7sm5z6WxxDYsGcoQ/+pxoUX2jQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-15T06:31:14Z"
-    mac: ENC[AES256_GCM,data:FPf6xhBN/D0zfeMcpcT1u+94oWpO6XApn11CtiA36MmPMaD/8kIpT7WxX2uV9OVnAfE1ab4vhaIPflLNt+iIOVJRxT0d2kjGqnWrJlRsu0C7gandbUjx/QnDobb82V0KFZ/E5wgZEdd2bl33l+BWdMHeUj32yFzSyP5d98GloJE=,iv:uQ9F4b2OGF+dGp7B7tl+qXB16cGdCLeTw7vQ2h2JjWc=,tag:UpCKj7CaRI5MralcT4oJQw==,type:str]
+    lastmodified: "2026-02-15T06:33:37Z"
+    mac: ENC[AES256_GCM,data:lYnwpoQuDSRpcPdIoSX3aGssc34UPqj6aZaliXl9XKMu1FMEgKwYXvNGOgs4tV2hBUQvTB4ZhiPT62awEHxzO1CmVdi6eiR9LTP2KetVubvKp8Ps/xoWKl51pG9ubJj+H3rfwAhfbGVZmAb6PKQgY6mnpyutlt/ojCMoKJ4BVwM=,iv:O0MoP+Nb1+nrowX3yfhIY/pjtSbLPV6qHOhDiEfdpzw=,tag:qSA02qKepxJ8p1qpZYN+UQ==,type:str]
     pgp:
         - created_at: "2025-03-07T22:49:16Z"
           enc: |-
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3d6a466..0a7abf8 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -2,7 +2,6 @@ let
   main_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15";
 in
 {
-  "factorio-settings.age".publicKeys = [ main_ssh_public_key ];
   "phantom-nextcloud.age".publicKeys = [ main_ssh_public_key ];
   "phantom-writefreely.age".publicKeys = [ main_ssh_public_key ];
   "phantom-renawiki.age".publicKeys = [ main_ssh_public_key ];
diff --git a/system/monolith-forgejo-runner.nix b/system/monolith-forgejo-runner.nix
index 345f861..5d7a98f 100644
--- a/system/monolith-forgejo-runner.nix
+++ b/system/monolith-forgejo-runner.nix
@@ -17,4 +17,6 @@
       ];
     };
   };
+
+  sops.secrets."forgejo-runners/git.lelgenio.com-default" = { };
 }
diff --git a/system/nix-serve.nix b/system/nix-serve.nix
index 7cd7377..9bf9814 100644
--- a/system/nix-serve.nix
+++ b/system/nix-serve.nix
@@ -9,4 +9,6 @@
     enable = true;
     secretKeyFile = config.sops.secrets."nix-serve/private-key".path;
   };
+
+  sops.secrets."nix-serve/private-key" = { };
 }

From 3be05b100b36d3aa8b169e115b4e0f3b50b924d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Sun, 15 Feb 2026 03:47:47 -0300
Subject: [PATCH 7/8] phantom: migrate secrets to sops

---
 hosts/phantom/invidious.nix                      |  5 ++---
 hosts/phantom/mastodon.nix                       |  5 ++---
 hosts/phantom/nextcloud.nix                      | 13 +++++--------
 hosts/phantom/writefreely.nix                    | 13 +++++--------
 secrets/phantom-invidious-settings.age           | 16 ----------------
 secrets/phantom-mastodon-mailer-password.age     | 13 -------------
 secrets/phantom-nextcloud.age                    | 15 ---------------
 secrets/phantom-renawiki.age                     | 16 ----------------
 secrets/phantom/default.yaml                     | 12 ++++++++++--
 ...-thoreb-itinerario-registrationConfigFile.age | 13 -------------
 secrets/secrets.nix                              |  5 -----
 11 files changed, 24 insertions(+), 102 deletions(-)
 delete mode 100644 secrets/phantom-invidious-settings.age
 delete mode 100644 secrets/phantom-mastodon-mailer-password.age
 delete mode 100644 secrets/phantom-nextcloud.age
 delete mode 100644 secrets/phantom-renawiki.age
 delete mode 100644 secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age

diff --git a/hosts/phantom/invidious.nix b/hosts/phantom/invidious.nix
index 60c1dca..d4486d7 100644
--- a/hosts/phantom/invidious.nix
+++ b/hosts/phantom/invidious.nix
@@ -23,7 +23,7 @@
     #     "visitor_data": "...",
     #     "po_token": "..."
     # }
-    extraSettingsFile = config.age.secrets.phantom-invidious-settings.path;
+    extraSettingsFile = config.sops.secrets."invidious/settings.json".path;
     settings = {
       force_resolve = "ipv6";
       db = {
@@ -33,8 +33,7 @@
     };
   };
 
-  age.secrets.phantom-invidious-settings = {
-    file = ../../secrets/phantom-invidious-settings.age;
+  sops.secrets."invidious/settings.json" = {
     mode = "666";
   };
 }
diff --git a/hosts/phantom/mastodon.nix b/hosts/phantom/mastodon.nix
index d0dd5d3..e21e874 100644
--- a/hosts/phantom/mastodon.nix
+++ b/hosts/phantom/mastodon.nix
@@ -14,15 +14,14 @@
       host = "lelgenio.com";
       fromAddress = "noreply@social.lelgenio.com";
       user = "noreply@social.lelgenio.com";
-      passwordFile = config.age.secrets.phantom-mastodon-mailer-password.path;
+      passwordFile = config.sops.secrets."mastodon/smtp-password".path;
     };
     streamingProcesses = 2;
     extraConfig.SINGLE_USER_MODE = "true";
     mediaAutoRemove.olderThanDays = 5;
   };
 
-  age.secrets.phantom-mastodon-mailer-password = {
-    file = ../../secrets/phantom-mastodon-mailer-password.age;
+  sops.secrets."mastodon/smtp-password" = {
     mode = "400";
     owner = "mastodon";
   };
diff --git a/hosts/phantom/nextcloud.nix b/hosts/phantom/nextcloud.nix
index d95e598..6b8a020 100644
--- a/hosts/phantom/nextcloud.nix
+++ b/hosts/phantom/nextcloud.nix
@@ -11,7 +11,7 @@
     https = true;
     config = {
       dbtype = "sqlite"; # TODO: move to single postgres db
-      adminpassFile = config.age.secrets.phantom-nextcloud.path;
+      adminpassFile = config.sops.secrets."nextcloud/default-password".path;
     };
   };
 
@@ -20,12 +20,9 @@
     enableACME = true;
   };
 
-  age = {
-    secrets.phantom-nextcloud = {
-      file = ../../secrets/phantom-nextcloud.age;
-      mode = "400";
-      owner = "nextcloud";
-      group = "nextcloud";
-    };
+  sops.secrets."nextcloud/default-password" = {
+    mode = "400";
+    owner = "nextcloud";
+    group = "nextcloud";
   };
 }
diff --git a/hosts/phantom/writefreely.nix b/hosts/phantom/writefreely.nix
index 5608c0f..2358981 100644
--- a/hosts/phantom/writefreely.nix
+++ b/hosts/phantom/writefreely.nix
@@ -12,19 +12,16 @@
     nginx.forceSSL = true;
     host = "blog.lelgenio.com";
     admin.name = "lelgenio";
-    admin.initialPasswordFile = config.age.secrets.phantom-writefreely.path;
+    admin.initialPasswordFile = config.sops.secrets."writefreely/password".path;
     settings.app = {
       site_name = "Leo's blog";
       single_user = true;
     };
   };
 
-  age = {
-    secrets.phantom-writefreely = {
-      file = ../../secrets/phantom-writefreely.age;
-      mode = "400";
-      owner = "writefreely";
-      group = "writefreely";
-    };
+  sops.secrets."writefreely/password" = {
+    mode = "400";
+    owner = "writefreely";
+    group = "writefreely";
   };
 }
diff --git a/secrets/phantom-invidious-settings.age b/secrets/phantom-invidious-settings.age
deleted file mode 100644
index 6ca9077..0000000
--- a/secrets/phantom-invidious-settings.age
+++ /dev/null
@@ -1,16 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-iTcgtxF1IxopbtF+aw7V8IQfH7tWiMk9lE/eWlVHVjeaRvER5W6Y3xZNOFCjtbqY
-VwEyV6ibfZ4GJt1jRu2icEH/AnLUJFFGQnxu/K/rtoZ3tqSIk9WCBv3aPo4oZRiU
-uaaxi2gD8qo1RLyl/Ij7Djw4i/isUOO1EON5sgx1d39k6qUD4Mak0DSU4EtGdTsr
-OaxDAc0kAxhxZQOUH/QlKa0HLonaFcy1LHqvttOcw3UZuZnaYfZiPlcqe3USS9cm
-96aIC5cS9pHr4JFrqRYvfpla2TY5jlCB/xBGw3KjGEIQoBPXSsJZA6BCMZyp00++
-tdfS2aomt9HFmb1wZDS0jWAxkVF6nXXBbolFVih+58h0nYLljtHIQ3SizRoXY459
-x3JE9NReHp2OO3SlIeO03Kv8YMBvj7nSSd1C1PMpu+hJ/eCXi1WQxD6QY+40muk6
-KhqE3PZ8BCY2b+VpywUF5gVH28mo3jscqAzhf2dZ3SQlzldI+hFyKPxTdAqkfUOH
-
---- cinb+wzjVfTkpfm1CtFIFaepwoQVCj1MquB5rAC45Ew
-¾
-6
-ZCþHS07ïºÖóýE¼X*Àqb=üOßíÛÉwu¥¤³­Pºþ¹ÙçÇ–Ñ³/£ómvòÞ×Ë2VœÄ«
-ÁŠxvç[“£‚µ£±”Ì‚A~ evdÓåÙ0¢Œni³1Ò›¹Qý„"í@Ù¹§ÞÔ{KpÐ:åÏµuµsÊÎBñò(X…r[ÂQVg¢Tš¤°ðœîËï@Ä*ÇõÿíB«.§¯žhEé²ŸèÐë’­÷½¥Žûzlz|kã`l8‘´8¼M›cchîáZ`ƒ ?yeoƒ+ÈM-:/–À**ìè¦ÊcŸÎZD¡2Ñá¼é&·÷¾Ç¢¹£e¤ï*Hnç"Þ~+|ua(û6óËJ
\ No newline at end of file
diff --git a/secrets/phantom-mastodon-mailer-password.age b/secrets/phantom-mastodon-mailer-password.age
deleted file mode 100644
index 37232fb..0000000
--- a/secrets/phantom-mastodon-mailer-password.age
+++ /dev/null
@@ -1,13 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-Mnc+/tJ0QqxHkg2nl9gEkz5Oj1RgxtOZnD5gRv66ISUOqZhNm1+F+xVEdKn843/q
-/WzH0f1cTF9NXP8vIaEo//bMmp50obJAd+JNovJxV+0gb9L55Nu7ayvK+eyk6j5n
-eb8TxUnwh5BPkEyc6akDh/O49GXzLlVoFD6Ik/0f3YCqUDNAYOl2bsssXtevCeK/
-WEPoCFGhZfNUrOo/0eAhiujZZ5zVb0CWNqXi8VTe2eWOE20VJULcN13TEyO3ZePx
-bAPBmDfS5GgGlV4INWxVLaIMDrzlm0tYozbBNNUbdLFFOhIOrgvay9RWxdk0u2hJ
-MPKoKsJ96EFxrbZJdS0W7a+aZk/Q3A3Civ2rtPx+5UANhmlY8e1lUHa26e1vA4K7
-ApoMtDyCbuZ9FbLurwl9zO64wWP68aKzuyKOIw+wpy41NQ/PcViSY8KNG9Pt7A2N
-CcOkByx+rwz+JdNHbOF8O4FFG4fNSWn7SvVtu5ymGgVi1bOd8PdJpjDR+6Is0SX7
-
---- DHNyITb7ZseEV58MOD/zHeH5vff0hhlbKg27rlYECGk
-ÆJ…¨Úãè·<hUs/¿ïš}ó´Zi`ˆ‘ 'ÂJŸ°z5ùÃgõãŸ%€ì‡`¤º%/˜‚±ˆ„á-Î<x—íõÉ’|
\ No newline at end of file
diff --git a/secrets/phantom-nextcloud.age b/secrets/phantom-nextcloud.age
deleted file mode 100644
index c180524..0000000
--- a/secrets/phantom-nextcloud.age
+++ /dev/null
@@ -1,15 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-bpGCgyaAPDutva1Gp/YPuek6IZTXJHKb7+oIAV/x+7Ry4Oci9zM2VWvPVE/rPE/d
-0AzBX1NvsWBB005w42RfiErk4FQYRCouwNR1FNjUWNdQOmku++RPfxBXspAFIDkQ
-yM7mqbhwf5by5rZY+2kl20QxkErkVtZolus1am9RV4uyXfdPaRcKjWOuPiEim42d
-YdeCXq4nJGxlL3tRunIqLIZGhV08wHBl7Dubhn9hdD6/ekDk0RloVTBDZUY5tUPL
-dJk+bfFPI0DimytzCwyQbWEHOkdiWYSNzbx2JhTSvuqefHP1UzB2LukaQc2gOJFV
-mVKvQuGpOWknytMUhM6zCTvRw4OQutAZd96OniQYTas/vnmfT2l2n9aMEzQK157A
-U9DmsvhBypILiQSPpA7QrGB1QVuRjAFJA86ASY1FAT6MdBBK4vZ8fK7mpT06JO/n
-gwv+UlvFBziWHzA/1GOLrfD+ExjmbeucRZr5XGszrAaK/7GPZt4LF69hRmKegL94
-
--> 9I3~SC,<-grease M$2 RibFL]C
-uR6MirHtTc4Tyrcw3T2my+BN2Q
---- 56zk9BqgwQqNymga1mUDgpvtfIpMy5i/JnaSXbjx6jk
-ÞQÚÞ—Ž)NâÿÚ¦¨Žß‘-†ŸÀ ÷ÑDz-ÖIÅß-°]p$ÉX5æT·PU=u;kæ8}wÁV¦mšç=
\ No newline at end of file
diff --git a/secrets/phantom-renawiki.age b/secrets/phantom-renawiki.age
deleted file mode 100644
index cdc2801..0000000
--- a/secrets/phantom-renawiki.age
+++ /dev/null
@@ -1,16 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-BUJ9L1bwZ0RWj3FmMghmZDkY4iuc0gujS3Rfat+hj/pg+MALZ69Tovc5RnqmOZT/
-pTGPTzWj3WO70YU+wCUHKZ74JcKdL3wSD1FWOWYRvyDV3gxZjDTjw4Grs+sH9M4Z
-MrhdoyY95fhmGZHJ7Qkx/aKCAK/OaFSu5Vhh37ykmLd1gQ9NJYQ+G3lLr1Mrqjd/
-1QaBqJtJpAFTA0eCd3+oBtQ/qgHD2ZBJcOmkS9sRC6S4YKNoyoDifTbL29aJC4f/
-08myI0WH/ApbtN1hWuiVWibmy/9/76IAvgUqi8fULNY5w7Otz3nKGV+mDA5+oD11
-jCHZJdcec9JFyZ/V2mh/PoHpNawksNPy85eJ0MpM1avM25Qib8kWJM6fnZb7uJzt
-DsYCl2q4ILnTaieuTSJUfgacKbrwSv7MQfgdh1SkXAShyZ7aSCoDhsgSdOVwYoAX
-Mspm0NtodeV7493qZwYspO6H0xbfh20vXa1DOeMt98T1iP0aYYhfRXkb0wACx1QF
-
--> \z/RLj3S-grease cmv( uCkG*= .cX3S 9r^&
-OVTVTnB3PjD4COiRCtQ
---- EhfDqxfjLIHF9Sa7V4ytO1xsRK8p23WDsWcB9/B9fRw
-.ß=–£))/’ö‰Í¹êÒ‹#´ýLÁƒŒÓ‰Ž—|p
-7	ÍñÄKä®7ò²Š@üCJfš:w6Pè•@@/N7¿
\ No newline at end of file
diff --git a/secrets/phantom/default.yaml b/secrets/phantom/default.yaml
index aa133a2..b953bfe 100644
--- a/secrets/phantom/default.yaml
+++ b/secrets/phantom/default.yaml
@@ -10,6 +10,14 @@ example_booleans:
     - ENC[AES256_GCM,data:lFEC/S8=,iv:cJWbnmseP/AqJzyORM+VI5y7rK8axVeh7EXoLP7mT/Q=,tag:BaS5HyecokdLCq+LzQxGkg==,type:bool]
 forgejo:
     smtp_password: ENC[AES256_GCM,data:g/Uqmtp8A9pas5WcslwnGCKSXv7dYSRMA8wKm7DWpvssVRZJ,iv:vNBqdTlZ5mg0AhjMNr8rUts1rDBYmq03tdiceVN3xjs=,tag:M3qfiZEWvJN/XUjjmnAXqA==,type:str]
+invidious:
+    settings.json: ENC[AES256_GCM,data:wzbBnj3qrhw+clHpetEm/FYs+zkMM0kG0JO97E2wPEPaoBZDuOy3BRAbzmwkn4RUEt2hWVN89/A1qweXuuScXt5LSgaQXFXmGQQ2RzXY7K7Pr3uBNol53pnNQI5M6Mi1bif26rdiwznE0QgZCuptadhPcHbCaWB2QrXyYDdTdvQ6Wd+ZueSXPXCjpRnXaqZzTFc5VJf09wqTFahUvVkgjkhgiLVUu218b8xghekJLwJ3bKwmXuXsnmGSQjFry6ttbFPQJawVXWqsiNY7iaE0k1K3NKcTu5Fm2XiriPTKuGM51EXrqaw97ywWN8JEBGxZTk7kcWg2tAf9ddOewYMG,iv:2oDgPdFihZ9O8IkAydL2DtlUtCBUw70u2F2Rn+eW9rs=,tag:zvdZbEdQzbtWgft+i00ufQ==,type:str]
+mastodon:
+    smtp-password: ENC[AES256_GCM,data:ciRTgcCKueSiYerBjWHOD4c9wlpMlcV9jiFaEWFh92vgA6J9,iv:TAaPiMIL8Yfd9k4j9dN40dWqQWAPb+24ngvPC7GTrlE=,tag:+7fGAN7FKiPIWvdsQXGqxg==,type:str]
+nextcloud:
+    default-password: ENC[AES256_GCM,data:mR0KRCheXh6NBVn+odK9Kx0e4njJDuZ6OS37Iw==,iv:PAb/sCt7hq5WKZwr4FMfiMqf7mGvpXQEnZcbzmDz9oI=,tag:ukBDHbFKrStXckzuE1TwJA==,type:str]
+writefreely:
+    password: ENC[AES256_GCM,data:5hzvM8Aitvj4Hb/RgViV1QjsnpQqln0k1nZvEz8Y7vdZvcHo,iv:Wi+pKcGqi09050sitgxt/+hYGF2mlmYC0SDjmqSWPr4=,tag:V0KSBgIV4fgMbxuADVTxrA==,type:str]
 sops:
     age:
         - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
@@ -30,8 +38,8 @@ sops:
             RU1HSUhldHpzeURaUWQvcjBCQ3pMY2cKYL87Njs4e68zu5AXKNF/hxiB3HduS8wz
             o0kmGI58DZx17+Cdipw0ab9a9wiu9C9Fn+LaiCcdM/ESXtS79RzdbQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-15T06:20:05Z"
-    mac: ENC[AES256_GCM,data:3S52Sd3qaqHWy5TL8MAq9yOpH7ZYMDUHprJH3JtW1Vs2rNJIm9li7x3RT0mRnct4NYgikyFi9PBghDJsDN/QKxxKfEDm6KWET+okL41/h/KnzJRFqHoG8sxZYnr4NWc1R60A6WdD+xIa6njCwCNLP4hDjHeQuLjhDsvhqSG4dO8=,iv:xsqZB0GaFYN7QhP24Ik602JoBjVnPGEtgKRbIp9a7Pc=,tag:ZfrKyzRn2bd9lY1bvFjZrQ==,type:str]
+    lastmodified: "2026-02-15T06:46:07Z"
+    mac: ENC[AES256_GCM,data:lnvq80oOH2pO6AxBbnjNxvz0xcukTFowcxKf24RKFf/ZouRL6uCJEWJwNCoAKCGOHibrztsGHLDL/cgOffv9CTivIYmzbB+9q2MCQNGxrSL7CkWr/mK9xb5Yz1ASvvZxcGB7WmZNVZXvjIr6mdZy50UweHJoit+oDvE03cmG9Bw=,iv:CikhhcnCE9SXpRasZEImUR6vU5cauD4YIplxPYsPo4A=,tag:+QaBv8Nrk40UCYhUskepyw==,type:str]
     pgp:
         - created_at: "2025-03-07T22:49:19Z"
           enc: |-
diff --git a/secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age b/secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
deleted file mode 100644
index 03118e3..0000000
--- a/secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age
+++ /dev/null
@@ -1,13 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa BwwxHg
-KCVF4Sy49stOeQs2uunYKkvadqeimmWlJ4ucEJxfXy2z+OkkZpixUnWgJEH2nCa4
-NL/F0Wezbqvh+Texl4FlHN8PT2w/d5gdg/L+fI4jBYCvbbiHA4sdUgmXWigY8zrU
-5H7Y9mgb1Y174fA6zfTCk2fHmk+KARoV27YrS2fzGoVQiPhnvv8ZT51eF1E+Zs4I
-+YtXehxEOqYljJKYJJnF9ElzfNa8nypACGtcjTE8eEq0DlZu2U7qV+QWwQudHbcs
-MbFR2VtkHWQaNdK1vVBGND1CMlfshSCqbUzGcexownMiCVSal1RKA2uAWnYdOEc/
-QSR8cKn8QQ5dyPFCqZ8RnlCMUegCVLg5cC0/rlTUD0C/Ti2SRBYTH3HvJjmSNk8k
-3LdcNwK4YtG4d1gkqLVjwCM1Yg8I/UICb5nQYclvBz5VQ2drvL/gU/+Vc7Z5KUFI
-0G/7uNmeJ16Eky+X9c73ZZxVqm0TzDENE2GzkPhBHEfXBR+4j6m8KKEWxQmA2ZSg
-
---- Oq9wU0h90iU/8g1XTNI+LuAg7t09hngj9DCK91V1+pg
-Ï‡võ’P·Êì}ÓN,×ÿWl?y0)‘eVw‰©Aði±ýê•ÅSm¥œ¼¸à‡ì>‰ð°ÑD“ÂQž¦C-ùëB†Ôáôôø0ŽúVµ|÷=ŽXÊ6©ë ¢œ‹W>ãÒì~·-qIÞ%
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 0a7abf8..448c1f4 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -2,9 +2,4 @@ let
   main_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15";
 in
 {
-  "phantom-nextcloud.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-writefreely.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-renawiki.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-mastodon-mailer-password.age".publicKeys = [ main_ssh_public_key ];
-  "phantom-invidious-settings.age".publicKeys = [ main_ssh_public_key ];
 }

From d4c8cb5bdca1d8aa49744b9e2ef72faa29c687de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Sun, 15 Feb 2026 03:51:23 -0300
Subject: [PATCH 8/8] flake: remove agenix

---
 flake.lock                | 75 ++++-----------------------------------
 flake.nix                 |  8 -----
 hosts/phantom/default.nix |  1 -
 secrets/secrets.nix       |  5 ---
 system/secrets.nix        |  6 ----
 user/home.nix             |  3 --
 6 files changed, 6 insertions(+), 92 deletions(-)
 delete mode 100644 secrets/secrets.nix
 delete mode 100644 system/secrets.nix

diff --git a/flake.lock b/flake.lock
index 8eaa5e6..6ba24c5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -16,31 +16,6 @@
         "type": "github"
       }
     },
-    "agenix": {
-      "inputs": {
-        "darwin": "darwin",
-        "home-manager": [
-          "home-manager"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1770165109,
-        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
-        "owner": "ryantm",
-        "repo": "agenix",
-        "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ryantm",
-        "repo": "agenix",
-        "type": "github"
-      }
-    },
     "blobs": {
       "flake": false,
       "locked": {
@@ -155,28 +130,6 @@
         "type": "github"
       }
     },
-    "darwin": {
-      "inputs": {
-        "nixpkgs": [
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1744478979,
-        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lnl7",
-        "ref": "master",
-        "repo": "nix-darwin",
-        "type": "github"
-      }
-    },
     "demoji": {
       "inputs": {
         "advisory-db": "advisory-db",
@@ -312,7 +265,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems_2"
+        "systems": "systems"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -330,7 +283,7 @@
     },
     "flake-utils_2": {
       "inputs": {
-        "systems": "systems_3"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -363,7 +316,7 @@
     },
     "flake-utils_4": {
       "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -381,7 +334,7 @@
     },
     "flake-utils_5": {
       "inputs": {
-        "systems": "systems_5"
+        "systems": "systems_4"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -399,7 +352,7 @@
     },
     "flake-utils_6": {
       "inputs": {
-        "systems": "systems_6"
+        "systems": "systems_5"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -417,7 +370,7 @@
     },
     "flake-utils_7": {
       "inputs": {
-        "systems": "systems_7"
+        "systems": "systems_6"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -791,7 +744,6 @@
     },
     "root": {
       "inputs": {
-        "agenix": "agenix",
         "catboy-spinner": "catboy-spinner",
         "contador-da-viagem": "contador-da-viagem",
         "demoji": "demoji",
@@ -973,21 +925,6 @@
         "type": "github"
       }
     },
-    "systems_7": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
     "tlauncher": {
       "inputs": {
         "flake-utils": "flake-utils_5",
diff --git a/flake.nix b/flake.nix
index 97c7a6e..f3d6e23 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,12 +22,6 @@
     plymouth-themes.url = "github:adi1090x/plymouth-themes";
     plymouth-themes.flake = false;
 
-    agenix = {
-      url = "github:ryantm/agenix";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.home-manager.follows = "home-manager";
-    };
-
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -111,12 +105,10 @@
       common_modules = [
         { nixpkgs.pkgs = pkgs; }
         ./system/configuration.nix
-        ./system/secrets.nix
         ./system/sops.nix
         ./system/greetd.nix
         { login-manager.greetd.enable = desktop == "sway"; }
 
-        inputs.agenix.nixosModules.default
         inputs.sops-nix.nixosModules.default
         inputs.home-manager.nixosModules.home-manager
         inputs.disko.nixosModules.disko
diff --git a/hosts/phantom/default.nix b/hosts/phantom/default.nix
index 1b0d3cb..e32fa95 100644
--- a/hosts/phantom/default.nix
+++ b/hosts/phantom/default.nix
@@ -8,7 +8,6 @@
 {
   imports = [
     inputs.vpsadminos.nixosConfigurations.container
-    inputs.agenix.nixosModules.default
     inputs.sops-nix.nixosModules.default
 
     ../../system/sops.nix
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
deleted file mode 100644
index 448c1f4..0000000
--- a/secrets/secrets.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-let
-  main_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15";
-in
-{
-}
diff --git a/system/secrets.nix b/system/secrets.nix
deleted file mode 100644
index 1e5d68d..0000000
--- a/system/secrets.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{ pkgs, config, ... }:
-{
-  age = {
-    identityPaths = [ "/root/.ssh/id_rsa" ];
-  };
-}
diff --git a/user/home.nix b/user/home.nix
index c8dd8c1..5d94b46 100644
--- a/user/home.nix
+++ b/user/home.nix
@@ -114,9 +114,6 @@
     deluge
     nicotine-plus
 
-    ## Nix secrets management
-    inputs.agenix.packages.x86_64-linux.default
-
     ## Programming
     # rustup