refactor: move secrets off-shore

2025-01-20 20:57:53 +11:00 · 2025-01-20 20:57:53 +11:00 · d3d0ae8fcb
commit d3d0ae8fcb
parent 0ecc1cbf40
23 changed files with 231 additions and 179 deletions
--- a/flake.lock
+++ b/flake.lock
@ -3,22 +3,19 @@
    "agenix": {
      "inputs": {
        "darwin": "darwin",
-        "home-manager": [
-          "home-manager"
-        ],
+        "home-manager": "home-manager_2",
        "nixpkgs": [
+          "secrets",
          "nixpkgs"
        ],
-        "systems": [
-          "systems"
-        ]
+        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1723293904,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "lastModified": 1736955230,
+        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
        "type": "github"
      },
      "original": {
@ -27,6 +24,28 @@
        "type": "github"
      }
    },
+    "agenix-rekey": {
+      "inputs": {
+        "devshell": "devshell",
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": "nixpkgs_4",
+        "pre-commit-hooks": "pre-commit-hooks_2",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1737124467,
+        "narHash": "sha256-askwM5GDYo4xy/UARNXUvn7lKERyNp31BcES/t4Ki2Y=",
+        "owner": "oddlama",
+        "repo": "agenix-rekey",
+        "rev": "27c5fc5b763321054832d0c96a9259d849b2f58a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oddlama",
+        "repo": "agenix-rekey",
+        "type": "github"
+      }
+    },
    "aquamarine": {
      "inputs": {
        "hyprutils": [
@ -78,6 +97,7 @@
    "darwin": {
      "inputs": {
        "nixpkgs": [
+          "secrets",
          "agenix",
          "nixpkgs"
        ]
@ -97,6 +117,28 @@
        "type": "github"
      }
    },
+    "devshell": {
+      "inputs": {
+        "nixpkgs": [
+          "secrets",
+          "agenix-rekey",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1728330715,
+        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "devshell",
+        "type": "github"
+      }
+    },
    "firefox-addons": {
      "inputs": {
        "flake-utils": "flake-utils",
@ -136,6 +178,22 @@
        "type": "github"
      }
    },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib"
@ -154,6 +212,28 @@
        "type": "github"
      }
    },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "secrets",
+          "agenix-rekey",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1733312601,
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
    "flake-utils": {
      "locked": {
        "lastModified": 1629284811,
@ -191,7 +271,7 @@
    },
    "flake-utils_3": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1731533236,
@ -229,6 +309,29 @@
        "type": "github"
      }
    },
+    "gitignore_2": {
+      "inputs": {
+        "nixpkgs": [
+          "secrets",
+          "agenix-rekey",
+          "pre-commit-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -249,6 +352,28 @@
        "type": "github"
      }
    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "secrets",
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "hyprcursor": {
      "inputs": {
        "hyprlang": [
@ -892,6 +1017,22 @@
        "type": "github"
      }
    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1735471104,
+        "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nmd": {
      "flake": false,
      "locked": {
@ -2990,6 +3131,30 @@
        "type": "github"
      }
    },
+    "pre-commit-hooks_2": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "gitignore": "gitignore_2",
+        "nixpkgs": [
+          "secrets",
+          "agenix-rekey",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1735882644,
+        "narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "a5a961387e75ae44cc20f0a57ae463da5e959656",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
    "rnix-lsp": {
      "inputs": {
        "naersk": "naersk",
@ -3012,7 +3177,6 @@
    },
    "root": {
      "inputs": {
-        "agenix": "agenix",
        "firefox-addons": "firefox-addons",
        "flake-parts": "flake-parts",
        "flake-utils": "flake-utils_2",
@ -3027,7 +3191,7 @@
        "nixpkgs": "nixpkgs_2",
        "nvf": "nvf",
        "secrets": "secrets",
-        "systems": "systems",
+        "systems": "systems_2",
        "zjstatus": "zjstatus"
      }
    },
@ -3076,6 +3240,8 @@
    },
    "secrets": {
      "inputs": {
+        "agenix": "agenix",
+        "agenix-rekey": "agenix-rekey",
        "flake-parts": [
          "flake-parts"
        ],
@ -3087,11 +3253,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1737094724,
-        "narHash": "sha256-PeNJWuk+zNrqCsrSbElfFmMP+R5E0uFaAgW9tWG03ag=",
+        "lastModified": 1737363899,
+        "narHash": "sha256-9W7+5Mx2J60I/s6mgq6iRcxIV06nrBr6KWzN55GWnYE=",
        "ref": "refs/heads/master",
-        "rev": "dbbf390c798a14bb316681e62fe56355d9ea88f6",
-        "revCount": 4,
+        "rev": "ec8227f9dacaef659249df279d6fd98776ebaeb6",
+        "revCount": 25,
        "type": "git",
        "url": "ssh://git@github.com/ooks-io/kunzen"
      },
@ -3101,6 +3267,21 @@
      }
    },
    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
      "locked": {
        "lastModified": 1689347949,
        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@ -3115,7 +3296,7 @@
        "type": "github"
      }
    },
-    "systems_2": {
+    "systems_3": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -3130,6 +3311,28 @@
        "type": "github"
      }
    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "secrets",
+          "agenix-rekey",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1735135567,
+        "narHash": "sha256-8T3K5amndEavxnludPyfj3Z1IkcFdRpR23q+T0BVeZE=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "9e09d30a644c57257715902efbb3adc56c79cf28",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
    "utils": {
      "locked": {
        "lastModified": 1656928814,
--- a/flake.nix
+++ b/flake.nix
@ -26,15 +26,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    agenix = {
-      url = "github:ryantm/agenix";
-      inputs = {
-        nixpkgs.follows = "nixpkgs";
-        systems.follows = "systems";
-        home-manager.follows = "home-manager";
-      };
-    };
-
    nix-index-db = {
      url = "github:nix-community/nix-index-database";
      inputs.nixpkgs.follows = "nixpkgs";
--- a/modules/nixos/base/admin.nix
+++ b/modules/nixos/base/admin.nix
@ -1,10 +1,10 @@
 {
  config,
  pkgs,
-  keys,
  ...
 }: let
  inherit (config.ooknet.host) admin;
+  inherit (config.ooknet.secrets) keys;

  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
 in {
--- a/modules/nixos/base/default.nix
+++ b/modules/nixos/base/default.nix
@ -7,7 +7,6 @@
    ./admin.nix
    ./locale.nix
    ./options.nix
-    ./secrets.nix
    ./openssh.nix
    ./tailscale.nix
    ./networking.nix
--- a/modules/nixos/base/distributed-builds.nix
+++ b/modules/nixos/base/distributed-builds.nix
@ -1,5 +1,4 @@
 {
-  keys,
  config,
  lib,
  ...
@ -7,6 +6,7 @@
  inherit (lib) mkIf;
  inherit (config.ooknet.host) admin;
  inherit (config.networking) hostName;
+  inherit (config.ooknet.secrets) keys;

  mkBuilderMachine = {
    host,
--- a/modules/nixos/base/nix.nix
+++ b/modules/nixos/base/nix.nix
@ -23,7 +23,6 @@ in {
    defaultPackages = [];
    systemPackages = attrValues {
      inherit (pkgs) git deadnix statix;
-      inherit (inputs'.agenix.packages) default;
    };

    # location of the configuration flake
--- a/modules/nixos/base/secrets.nix
+++ b/modules/nixos/base/secrets.nix
@ -1,43 +0,0 @@
-{
-  config,
-  lib,
-  self,
-  ...
-}: let
-  inherit (lib) mkIf;
-
-  inherit (config.ooknet) host;
-  inherit (host) admin;
-  inherit (config.services) tailscale transmission;
-in {
-  age.identityPaths = [
-    "/home/${admin.name}/.ssh/id_ed25519"
-  ];
-
-  age.secrets = {
-    tailscale-auth = mkIf tailscale.enable {
-      file = "${self}/secrets/tailscale-auth.age";
-      mode = "444";
-    };
-    github_key = mkIf admin.homeManager {
-      file = "${self}/secrets/github_key.age";
-      path = "/home/${admin.name}/.ssh/github_key";
-      owner = "${admin.name}";
-      group = "users";
-    };
-    ooknet_org = mkIf admin.homeManager {
-      file = "${self}/secrets/ooknet_org.age";
-      path = "/home/${admin.name}/.ssh/ooknet_org";
-      owner = "${admin.name}";
-      group = "users";
-    };
-    spotify_key = mkIf admin.homeManager {
-      file = "${self}/secrets/spotify_key.age";
-      owner = "${admin.name}";
-      group = "users";
-    };
-    "mullvad_wg.conf" = mkIf transmission.enable {
-      file = "${self}/secrets/mullvad_wg.age";
-    };
-  };
-}
--- a/modules/nixos/server/services/ookflix/lib.nix
+++ b/modules/nixos/server/services/ookflix/lib.nix
@ -132,14 +132,6 @@
    };
  };

-  mkServiceSecret = name: service: {
-    ${name} = {
-      file = "${self}/secrets/containers/${name}.age";
-      owner = cfg.services.${service}.user.name;
-      group = cfg.services.${service}.group.name;
-    };
-  };
-
  mkNetworkService = name: _network:
    nameValuePair "podman-network-${name}" {
      description = "Podman network ${name} for ookflix";
@ -151,5 +143,5 @@
      };
    };
 in {
-  inherit mkServiceStateFile mkServiceSecret mkBasicServiceOptions mkServiceOptions mkServiceStateDir mkServiceUser mkUserOption mkPortOption mkGroupOption mkVolumeOption mkSubdomainOption mkNetworkService;
+  inherit mkServiceStateFile mkBasicServiceOptions mkServiceOptions mkServiceStateDir mkServiceUser mkUserOption mkPortOption mkGroupOption mkVolumeOption mkSubdomainOption mkNetworkService;
 }
--- a/modules/nixos/server/services/ookflix/networking/gluetun.nix
+++ b/modules/nixos/server/services/ookflix/networking/gluetun.nix
@ -6,14 +6,13 @@
  ...
 }: let
  ookflixLib = import ../lib.nix {inherit self lib config;};
-  inherit (ookflixLib) mkServiceUser mkServiceSecret;
+  inherit (ookflixLib) mkServiceUser;
  inherit (lib) mkIf;
  inherit (ook.lib.container) mkContainerEnvironment;
  inherit (config.ooknet.server.ookflix.services) qbittorrent gluetun;
 in {
  config = mkIf gluetun.enable {
    users = mkServiceUser gluetun.user.name;
-    age.secrets = mkServiceSecret "vpn_env" "gluetun";
    virtualisation.oci-containers.containers = {
      # vpn container
      gluetun = mkIf gluetun.enable {
--- a/modules/nixos/server/services/ookflix/networking/traefik.nix
+++ b/modules/nixos/server/services/ookflix/networking/traefik.nix
@ -6,7 +6,7 @@
  ...
 }: let
  ookflixLib = import ../lib.nix {inherit self lib config;};
-  inherit (ookflixLib) mkServiceUser mkServiceSecret mkServiceStateDir mkServiceStateFile;
+  inherit (ookflixLib) mkServiceUser mkServiceStateDir mkServiceStateFile;
  inherit (lib) mkIf;
  inherit (ook.lib.container) mkContainerEnvironment mkContainerLabel mkContainerPort;
  inherit (config.ooknet) server;
@ -19,7 +19,6 @@ in {
      traefikStateDir = mkServiceStateDir "traefik";
      traefikAcmeFile = mkServiceStateFile "traefik" "acme.json";
    };
-    age.secrets = mkServiceSecret "cf_creds" "traefik";
    virtualisation.oci-containers.containers = {
      # vpn container
      traefik = mkIf traefik.enable {
--- a/outputs/default.nix
+++ b/outputs/default.nix
@ -4,7 +4,6 @@
    ./lib
    ./hozen
    ./hosts
-    ./keys.nix
    ./pkgs
    ./images.nix
    ./devshells
--- a/outputs/images.nix
+++ b/outputs/images.nix
@ -1,8 +1,4 @@
-{
-  ook,
-  self,
-  ...
-}: {
+{self, ...}: {
  flake.images = {
    ooknode = self.nixosConfigurations.ooknode.config.system.build.image;
  };
--- a/outputs/keys.nix
+++ b/outputs/keys.nix
@ -1,6 +0,0 @@
-let
-  keys = import ../secrets/keys.nix;
-in {
-  perSystem._module.args.keys = keys;
-  flake.keys = keys;
-}
--- a/outputs/lib/builders.nix
+++ b/outputs/lib/builders.nix
@ -7,9 +7,9 @@
  inherit (inputs) nixpkgs;
  inherit (lib) singleton recursiveUpdate mkDefault;
  inherit (builtins) concatLists;
-  inherit (self) hozen keys ook;
+  inherit (self) hozen ook;
+  inherit (inputs.secrets.nixosModules) secrets;
  hm = inputs.home-manager.nixosModules.home-manager;
-  agenix = inputs.agenix.nixosModules.default;
  nixosModules = "${self}/modules/nixos";
  baseModules = nixosModules + "/base";
  hardwareModules = nixosModules + "/hardware";
@ -22,7 +22,7 @@
    (baseModules + "/admin.nix")
    (baseModules + "/ssh.nix")
  ];
-  core = [baseModules hardwareModules consoleModules appearanceModules hm agenix];
+  core = [baseModules hardwareModules consoleModules appearanceModules hm secrets];
  hostModules = "${self}/hosts";

  mkNixos = nixpkgs.lib.nixosSystem;
@ -44,7 +44,7 @@
      mkNixos {
        specialArgs =
          recursiveUpdate {
-            inherit hozen ook keys lib inputs self inputs' self';
+            inherit hozen ook lib inputs self inputs' self';
          }
          specialArgs;
        modules = concatLists [
@ -123,7 +123,7 @@
    ...
  }:
    mkNixos {
-      specialArgs = {inherit keys inputs lib self;};
+      specialArgs = {inherit inputs lib self;};
      modules = concatLists [
        (singleton {
          networking.hostName = hostname;
--- a/secrets/containers/cf_creds.age
+++ b/secrets/containers/cf_creds.age
@ -1,19 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 xeHnUA orzYvtHssnqm5RxM5aa2/9C8WE+b71dDA2I2Xazhc2k
-zkiBhnB7MdSIxrT/Sh14pHGU9ipGkBrrhNrHjW6lbJw
-> ssh-ed25519 6HvatA tABXMcWyBkSJWrl3MM76eJGJSU0XKQTG6lmFWIS/qxs
-ZZ3PYHKqbbdz0kDCTXhQBGCnWGsXLqZmdNjlWpT8SY4
-> ssh-ed25519 3DwG4w GUdLU60u2plRSDoFkAoNep5USX5Lj6jLrIQHzxYyPkI
-5dnetJBkJeSe12iczuOMnJO8K0gkB5qhPL1UbGAslzI
-> ssh-ed25519 Nn8WxA wnQzj5PqL1EoXisYGabcHzChGBZWvis+CSTE+6eCMEk
-fw4XLdF7kIIWBVVDu3DBxtxdYxBSsXozpJQ7p0No8I4
-> ssh-ed25519 Gd+9pg TIdiOlNUhp4fkQPQi3PItzVBssM1TxoDYZNCB0GYryw
-Ch+pJ6BEO/oUTeUn3t8qaiVuLaRgf9GUO4jpAgnJstY
-> ssh-ed25519 eMj+Jg 83Cbf9k7T0DRcE7hFchQWEj/pR+qNGTLIdXDmbWMeT4
-PqOzucTkTSQg92Vd8ZMLX6cDKyESCE4v9VVHJlAfFyg
-> ssh-ed25519 MQ/7Ew f4axkHyjiTOsbiYu90MAirHKoB9S70dK11JDtMKmSkc
-Rb2+dIewpW0bL+qJtAxIgVAyWqTDZI9dcwMQR/0pg3s
-> ssh-ed25519 3DwG4w FYRpJ1zJZmOil2/X+URrw03KXZk7qZoMO1/P+BJGCxo
-SRBJ/FOUbisy7Dhd5tXd4fN8HWM95L6oDQOjzmM5St8
--- /7SydLy/XxsnVqTD5ffym1MnyKzVyvvhIbazmf4oB18
-4ðÒ9Œ¯ÅaCr›¨™Bññ"<22>’Òe•5Š¢nö9ÂuF?ùyÛæÍk ¤µÓßbDB¸+Í™‰—D¨b÷HŠ©õôb»“^Í<>LóøÝÓ»©Ñö÷ÐV*^žûË–¿ÉL‡¼Ï™J8_6S·ÂÀÅ$+¼ÈK:$
--- a/secrets/containers/vpn_env.age
+++ b/secrets/containers/vpn_env.age
--- a/secrets/github_key.age
+++ b/secrets/github_key.age
--- a/secrets/keys.nix
+++ b/secrets/keys.nix
@ -1,28 +0,0 @@
-let
-  users = {
-    ooks = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEx2kNirkcFrNji+qz7KX+zdRxpgJyOwK0vyBrx9Ae3c";
-  };
-
-  hosts = {
-    ooksdesk = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBn3ff3HaZHIyH4K13k8Mwqu/o7jIABJ8rANK+r2PfJk";
-    ooksmedia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7ttz1jTy+byfzi874vogy3ZPLW9+8W2o512tdsqUUV";
-    ookst480s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWFZwTuHIITHa7s4Zp6KPF2suZIMXZbe085OiG0GRh5";
-    ooksphone = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINredx07UAk2l1wUPujYnmJci1+XEmcUuSX0DIYg6Vzz";
-    ooksmicro = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUSu2iy3GvMXT5eEDAymIwSQe8UuVG5GH5FJ408JiG4";
-    ooksx1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBR6Cyx64Qjth/4aS2x95scEkfiOnsCzufMZW5e41bfE";
-  };
-
-  workstations = [
-    hosts.ooksdesk
-    hosts.ooksmedia
-    hosts.ookst480s
-    hosts.ooksphone
-    hosts.ooksmicro
-    hosts.ooksx1
-  ];
-  servers = [
-    hosts.ooksmedia
-  ];
-in {
-  inherit users servers hosts workstations;
-}
--- a/secrets/mullvad_wg.age
+++ b/secrets/mullvad_wg.age
--- a/secrets/ooknet_org.age
+++ b/secrets/ooknet_org.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -1,12 +0,0 @@
-let
-  keys = import ./keys.nix;
-  inherit (keys) users workstations servers;
-in {
-  "tailscale-auth.age".publicKeys = [users.ooks] ++ workstations;
-  "github_key.age".publicKeys = [users.ooks] ++ workstations;
-  "spotify_key.age".publicKeys = [users.ooks] ++ workstations;
-  "ooknet_org.age".publicKeys = [users.ooks] ++ workstations;
-  "mullvad_wg.age".publicKeys = [users.ooks] ++ workstations ++ servers;
-  "containers/vpn_env.age".publicKeys = [users.ooks] ++ workstations ++ servers;
-  "containers/cf_creds.age".publicKeys = [users.ooks] ++ workstations ++ servers;
-}
--- a/secrets/spotify_key.age
+++ b/secrets/spotify_key.age
@ -1,17 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 xeHnUA +isoneTG5GTQVZ2mkNWJMApJL0EbtlRg2lE7CFPVs0o
-b0katAQ3DeRRTZZKzexJMM5JtcqY6pPpz1Z017ZmVBw
-> ssh-ed25519 6HvatA Knq4A7wvjmXnWAikVSbv9BALW7f0lph2bQsiyUcilSo
-SFHeWqjVO5jxnNW0cgE9qJrg0xG8SkEfZ87GpE77EZ8
-> ssh-ed25519 3DwG4w j7k+whyqKrKrkQCIMkOHl+EpCsIlJqtfqBShCc1ZGkk
-vLwteoZ9DvjAecJJhPzcXvnMVsKWEDwHiL76fm2PTC0
-> ssh-ed25519 Nn8WxA ENSIpye6C7RaxwmUQP4fGD3NZ/mXh7Q0gyNsdvEGyxU
-zhKepo7NqWe4NVTRcTcqKJavgZdHAXi5TK8nsHqRJNA
-> ssh-ed25519 Gd+9pg wlz2TZrZVdNz9yBugvydWeUgc/430iOPpDP3+aJ0nDo
-ST+uLYDvOg95qXN86vsvKmlr56sttg7Z7l4OAJfgytI
-> ssh-ed25519 eMj+Jg XP+CWaVkKTzptg2lpmPcT0d+K3JoDTfmFjpyKouqwXk
-WGrv56kthwxT88xXSyaPecLklfumxva9RxCoFNZwVTU
-> ssh-ed25519 MQ/7Ew XgTs4XL6bGspzSFdT2IW4BW3MPjdP0YiLQqo0SDR+EI
-18MBJWrgjk3J58EPZjwW/OwAo3bKG+jHztowqQeYG5M
--- nxPnfZNn24Q70LqqEO2Mo76xPcaBuZ7OEYXTO0Ac/wk
-”Þê4ª¨V+Ô_<’P|Í(ŽH3ìj¢S<C2A2>#(åv¥pþ¥‚ØjÈüè8a—ßc6’DïÔøèðd'(qÜZA[9ö
--- a/secrets/tailscale-auth.age
+++ b/secrets/tailscale-auth.age