refactor: move secrets off-shore

2025-01-20 20:57:53 +11:00 · 2025-01-20 20:57:53 +11:00 · d3d0ae8fcb
commit d3d0ae8fcb
parent 0ecc1cbf40
23 changed files with 231 additions and 179 deletions
--- a/modules/nixos/base/admin.nix
+++ b/modules/nixos/base/admin.nix
@ -1,10 +1,10 @@
 {
  config,
  pkgs,
-  keys,
  ...
 }: let
  inherit (config.ooknet.host) admin;
+  inherit (config.ooknet.secrets) keys;

  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
 in {
--- a/modules/nixos/base/default.nix
+++ b/modules/nixos/base/default.nix
@ -7,7 +7,6 @@
    ./admin.nix
    ./locale.nix
    ./options.nix
-    ./secrets.nix
    ./openssh.nix
    ./tailscale.nix
    ./networking.nix
--- a/modules/nixos/base/distributed-builds.nix
+++ b/modules/nixos/base/distributed-builds.nix
@ -1,5 +1,4 @@
 {
-  keys,
  config,
  lib,
  ...
@ -7,6 +6,7 @@
  inherit (lib) mkIf;
  inherit (config.ooknet.host) admin;
  inherit (config.networking) hostName;
+  inherit (config.ooknet.secrets) keys;

  mkBuilderMachine = {
    host,
--- a/modules/nixos/base/nix.nix
+++ b/modules/nixos/base/nix.nix
@ -23,7 +23,6 @@ in {
    defaultPackages = [];
    systemPackages = attrValues {
      inherit (pkgs) git deadnix statix;
-      inherit (inputs'.agenix.packages) default;
    };

    # location of the configuration flake
--- a/modules/nixos/base/secrets.nix
+++ b/modules/nixos/base/secrets.nix
@ -1,43 +0,0 @@
-{
-  config,
-  lib,
-  self,
-  ...
-}: let
-  inherit (lib) mkIf;
-
-  inherit (config.ooknet) host;
-  inherit (host) admin;
-  inherit (config.services) tailscale transmission;
-in {
-  age.identityPaths = [
-    "/home/${admin.name}/.ssh/id_ed25519"
-  ];
-
-  age.secrets = {
-    tailscale-auth = mkIf tailscale.enable {
-      file = "${self}/secrets/tailscale-auth.age";
-      mode = "444";
-    };
-    github_key = mkIf admin.homeManager {
-      file = "${self}/secrets/github_key.age";
-      path = "/home/${admin.name}/.ssh/github_key";
-      owner = "${admin.name}";
-      group = "users";
-    };
-    ooknet_org = mkIf admin.homeManager {
-      file = "${self}/secrets/ooknet_org.age";
-      path = "/home/${admin.name}/.ssh/ooknet_org";
-      owner = "${admin.name}";
-      group = "users";
-    };
-    spotify_key = mkIf admin.homeManager {
-      file = "${self}/secrets/spotify_key.age";
-      owner = "${admin.name}";
-      group = "users";
-    };
-    "mullvad_wg.conf" = mkIf transmission.enable {
-      file = "${self}/secrets/mullvad_wg.age";
-    };
-  };
-}