remove agenix and migrate secrets to clan vars

squash this

machines/genepi/acme.nix

@@ -1,21 +1,25 @@
 { config, ... }:
 {
+  imports = [
+    ../../modules/gandi.nix
+  ];
+
   security.acme = {
     acceptTerms = true;
     defaults.email = "admin@rpqt.fr";
   };
 
-  age.secrets.gandi.file = ../../secrets/gandi.age;
-
   security.acme = {
     certs."home.rpqt.fr" = {
       group = config.services.nginx.group;
-
       domain = "home.rpqt.fr";
       extraDomainNames = [ "*.home.rpqt.fr" ];
       dnsProvider = "gandiv5";
       dnsPropagationCheck = true;
-      environmentFile = config.age.secrets.gandi.path;
+      environmentFile = config.clan.core.vars.generators.gandi.files.gandi-env.path;
+      email = "admin@rpqt.fr";
     };
   };
+
+  clan.core.vars.generators.gandi.files.gandi-env.owner = "acme";
 }

machines/genepi/configuration.nix

@@ -4,7 +4,6 @@
 }:
 {
   imports = [
-    self.inputs.agenix.nixosModules.default
     ./acme.nix
     ./boot.nix
     ./builder.nix

machines/genepi/freshrss.nix

@@ -4,23 +4,26 @@ let
   subdomain = "rss.${domain}";
 in
 {
-  age.secrets.freshrss = {
-    file = ../../secrets/freshrss.age;
-    mode = "700";
-    owner = config.services.freshrss.user;
-  };
-
   services.freshrss = {
     enable = true;
     baseUrl = "https://${subdomain}";
     virtualHost = "${subdomain}";
 
     defaultUser = "rpqt";
-    passwordFile = config.age.secrets.freshrss.path;
+    passwordFile = config.clan.core.vars.generators.freshrss.files.freshrss-password.path;
   };
 
   services.nginx.virtualHosts.${config.services.freshrss.virtualHost} = {
     forceSSL = true;
     useACMEHost = "${domain}";
   };
+
+  clan.core.vars.generators.freshrss = {
+    prompts.freshrss-password = {
+      description = "freshrss default user password";
+      type = "hidden";
+      persist = true;
+    };
+    files.freshrss-password.owner = config.services.freshrss.user;
+  };
 }