cluster/services/irc/default.nix

@@ -12,11 +12,6 @@ let
 in
 {
   vars = {
-    ircPeerKey = {
-      file = ./irc-peer-key.age;
-      owner = "ngircd";
-      group = "ngircd";
-    };
     ircOpers = [ "max" "num" "ark" ];
   };
   hostLinks = lib.genAttrs config.services.irc.nodes.host (name: {
@@ -50,6 +45,11 @@ in
         ./irc-host.nix
       ];
     };
+    secrets.peerKey = {
+      nodes = config.services.irc.nodes.host;
+      owner = "ngircd";
+      services = [ "ngircd" ];
+    };
   };
 
   monitoring.blackbox.targets = {

cluster/services/irc/irc-host.nix

@@ -93,17 +93,15 @@ in {
       auth required ${pkgs.kanidm}/lib/pam_kanidm.so 
     '';
   };
-  age.secrets = { inherit (vars) ircPeerKey; };
   systemd.services.ngircd = {
     after = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
     wants = [ "acme-finished-${serverName}.target" "dhparams-gen-ngircd.service" ];
-    restartTriggers = [ "${config.age.secrets.ircPeerKey.file}" ];
     serviceConfig.RuntimeDirectory = "ngircd";
     preStart = ''
       install -d -m700 /run/ngircd/secrets
       for cfg in ${builtins.concatStringsSep " " otherServerFiles}; do
         install -m600 $cfg /run/ngircd/secrets/
-        ${pkgs.replace-secret}/bin/replace-secret '@PEER_PASSWORD@' '${config.age.secrets.ircPeerKey.path}' /run/ngircd/secrets/$(basename $cfg)
+        ${pkgs.replace-secret}/bin/replace-secret '@PEER_PASSWORD@' '${cluster.config.services.irc.secrets.peerKey.path}' /run/ngircd/secrets/$(basename $cfg)
       done
     '';
   };