readlater-bot: move user_id to age secret

hosts/thegeneralist-central/configuration.nix

@@ -2,24 +2,57 @@
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 
-{ config, pkgs, inputs, ... }:
+{
+  config,
+  pkgs,
+  inputs,
+  lib,
+  ...
+}:
 
 {
-  imports = [ ./hardware-configuration.nix ./site.nix ./cache ./archive ./forgejo ];
+  imports = [
+    ./hardware-configuration.nix
+    ./site.nix
+    ./cache
+    ./archive
+    ./forgejo
+  ];
 
   age.secrets.password.file = ./password.age;
+  age.secrets.readlaterBotToken.file = ./readlater-bot-token.age;
+  age.secrets.readlaterBotSyncToken.file = ./readlater-bot-sync-token.age;
+  age.secrets.readlaterBotUserId.file = ./readlater-bot-user-id.age;
+  age.secrets.readlaterBotToken.owner = "thegeneralist";
+  age.secrets.readlaterBotToken.group = "users";
+  age.secrets.readlaterBotToken.mode = "0400";
+  age.secrets.readlaterBotSyncToken.owner = "thegeneralist";
+  age.secrets.readlaterBotSyncToken.group = "users";
+  age.secrets.readlaterBotSyncToken.mode = "0400";
+  age.secrets.readlaterBotUserId.owner = "thegeneralist";
+  age.secrets.readlaterBotUserId.group = "users";
+  age.secrets.readlaterBotUserId.mode = "0400";
   users.users = {
     thegeneralist = {
       isNormalUser = true;
       description = "thegeneralist";
-      extraGroups = [ "wheel" "audio" "video" "input" "scanner" "docker" ];
+      extraGroups = [
+        "wheel"
+        "audio"
+        "video"
+        "input"
+        "scanner"
+        "docker"
+      ];
       shell = pkgs.zsh;
       home = "/home/thegeneralist";
       homeMode = "0750";
       hashedPasswordFile = config.age.secrets.password.path;
-      openssh.authorizedKeys.keys = let
-        inherit (import ../../keys.nix) thegeneralist;
-      in [ thegeneralist ];
+      openssh.authorizedKeys.keys =
+        let
+          inherit (import ../../keys.nix) thegeneralist;
+        in
+        [ thegeneralist ];
     };
 
     build = {
@@ -28,9 +61,11 @@
       extraGroups = [ "build" ];
       shell = pkgs.zsh;
       hashedPasswordFile = config.age.secrets.password.path;
-      openssh.authorizedKeys.keys = let
-        inherit (import ../../keys.nix) thegeneralist;
-      in [ thegeneralist ];
+      openssh.authorizedKeys.keys =
+        let
+          inherit (import ../../keys.nix) thegeneralist;
+        in
+        [ thegeneralist ];
     };
   };
 
@@ -45,16 +80,49 @@
   };
 
   age.secrets.hostkey.file = ./hostkey.age;
-  services.openssh.hostKeys = [{
-    type = "ed25519";
-    path = config.age.secrets.hostkey.path;
-  }];
+  services.openssh.hostKeys = [
+    {
+      type = "ed25519";
+      path = config.age.secrets.hostkey.path;
+    }
+  ];
 
   # Some programs
   services.libinput.enable = true;
   programs.firefox.enable = true;
   programs.zsh.enable = true;
 
+  services.readlater-bot = {
+    enable = true;
+    user = "thegeneralist";
+    group = "users";
+    tokenFile = config.age.secrets.readlaterBotToken.path;
+    settings = {
+      resources_path = "/home/thegeneralist/obsidian/02 Knowledge/03 Resources";
+      read_later_path = "/home/thegeneralist/obsidian/10 Read Later.md";
+      finished_path = "/home/thegeneralist/obsidian/20 Finished Reading.md";
+      data_dir = "/var/lib/readlater-bot";
+      retry_interval_seconds = 30;
+      sync = {
+        repo_path = "/home/thegeneralist/obsidian";
+        token_file = config.age.secrets.readlaterBotSyncToken.path;
+      };
+    };
+  };
+
+  systemd.services.readlater-bot.preStart = lib.mkAfter ''
+    if [ -f /run/readlater-bot/config.toml ]; then
+      tmp="/run/readlater-bot/config.toml.tmp"
+      {
+        IFS= read -r first_line || true
+        printf '%s\n' "$first_line"
+        printf 'user_id = %s\n' "$(cat ${config.age.secrets.readlaterBotUserId.path})"
+        cat
+      } < /run/readlater-bot/config.toml > "$tmp"
+      mv "$tmp" /run/readlater-bot/config.toml
+    fi
+  '';
+
   # Set your time zone.
   time.timeZone = "Europe/Berlin";
 

hosts/thegeneralist-central/readlater-bot-sync-token.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 pp9qdQ twxKRYACgz/8cYRrOCxMoVg9kFXaYxWVnDC1q7g4m3M
+HICOhz/phNPvmLrO/ILxoMb5Bbs7LAJ3wuPAq1PJXiQ
+--- 0yPpaiiJXMaUBa+kBX/UOTMICRjKXMgjRk2E+WKgj+M
+¡ï6«„£YŸ'Þ\±E<C2B1>T‡cÊP;´Œˆ?œ‘j‚&+íFPÜ<50>*J‡m¦<Ï–~ÉúÐ
Ó˜A
I*¢„lÜØŠ×X'˃

hosts/thegeneralist-central/readlater-bot-token.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 pp9qdQ B8+s7rbKTCk2vfRVUyc8yV2HhkiUjv9petRiBRg9kgE
+9po69JEGIQGXUIyjJj3BOMZGc5qDSbvug1HsO/EgDTE
+--- n+cCCXuJP4oboSm74DRK9oh/OyHuPSdnX1+lH5xgn0E
+
IŽ´‚ó¼„fë­øÎ,(¦Ù†¨äÿ¶S°–d鎕Á^¶QhþˆF{_š<>Ü„§<E2809E>4Õ€Ô
Z™(£Ô
¥ŽümubÝÏø€

hosts/thegeneralist-central/readlater-bot-user-id.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 pp9qdQ JjYS0OmsdzkazhynwiYUWf6svuUu0ivXi7VrFdccez0
+0xelpQamzEYTN/TqbJ3kI1OhfZdBl2DhhgKv29qg8J4
+--- V0a84QEOAyVidy+5KoxJOwsj+XrmlMbg4+oLbHVK0FA
+D»ž'@0ö*aOÙŽHܯŒm‹tú…ï,¢±Ð«<C390>˜<EFBFBD>€õb£ÁI¥¼

secrets.nix

@@ -1,6 +1,7 @@
 let
   inherit (import ./keys.nix) thegeneralist;
-in {
+in
+{
   "hosts/thegeneralist/hostkey.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/hostkey.age".publicKeys = [ thegeneralist ];
 
@@ -11,7 +12,12 @@ in {
   "hosts/thegeneralist-central/cache/key.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/password.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/forgejo/forgejo-runner-token.age".publicKeys = [ thegeneralist ];
-  "hosts/thegeneralist-central/forgejo/forgejo-family-site-deploy-token.age".publicKeys = [ thegeneralist ];
+  "hosts/thegeneralist-central/forgejo/forgejo-family-site-deploy-token.age".publicKeys = [
+    thegeneralist
+  ];
+  "hosts/thegeneralist-central/readlater-bot-token.age".publicKeys = [ thegeneralist ];
+  "hosts/thegeneralist-central/readlater-bot-sync-token.age".publicKeys = [ thegeneralist ];
+  "hosts/thegeneralist-central/readlater-bot-user-id.age".publicKeys = [ thegeneralist ];
 
   "modules/linux/tailscale-marshall.age".publicKeys = [ thegeneralist ];
 }