Encrypt telegram password

modules/restic/default.nix

@@ -46,7 +46,7 @@ let
 in
 {
   imports = [
-    "${inputs.self}/modules/telegram-notifications"
+    (import "${inputs.self}/modules/telegram-notifications" { inherit inputs; })
   ];
 
   systemd.timers."restic-backups-${custom.username}" = {

modules/telegram-notifications/default.nix

@@ -1,10 +1,9 @@
-{ custom }: { pkgs, ... }:
+{ inputs }: { config, pkgs, ... }:
 let
   # TODO: encrypt with agenix
-  telegram-notify-env = "/home/${custom.username}/.nixos/secrets/passwords/telegram_notify_env";
 
   send-to-telegram = pkgs.writeShellScript "send-to-telegram" ''
-    export $(${pkgs.gnugrep}/bin/grep -v '^#' ${telegram-notify-env} | ${pkgs.findutils}/bin/xargs)
+    export $(${pkgs.gnugrep}/bin/grep -v '^#' ${config.age.secrets.telegramNotifyEnv.path} | ${pkgs.findutils}/bin/xargs)
     URL="https://api.telegram.org/bot$TELEGRAM_KEY/sendMessage"
     ${pkgs.curl}/bin/curl -s -d "chat_id=$CHAT_ID&disable_web_page_preview=1&text=$1" $URL > /dev/null'';
 
@@ -19,6 +18,7 @@ let
     $UNITSTATUS"'';
 in
 {
+  age.secrets.telegramNotifyEnv.file = "${inputs.self}/scrts/telegram_notify_env.age";
   systemd.services."unit-status-telegram@" = {
     description = "Unit Status Telegram Service";
     unitConfig = {

scrts/secrets.nix

@@ -30,11 +30,13 @@ let
     ttrss
   ];
   defaultKeys = [ andreas andreas-nixos-vm gwyn management nixos-vm ];
+  all = users ++ systems;
 in
 {
   "gitea_env.age".publicKeys = defaultKeys ++ [ git ];
   "pihole_env.age".publicKeys = defaultKeys ++ [ pihole ];
   "plex_claim.age".publicKeys = defaultKeys ++ [ plex ];
+  "telegram_notify_env.age".publicKeys = all;
   "ttrss_env.age".publicKeys = defaultKeys ++ [ ttrss ];
 }