config: move secrets to sops

1systems/wbob/config.nix

@@ -6,61 +6,62 @@ in {
 
   imports =
     [
-      <stockholm/makefu>
+      ../../2configs/default.nix
       # Include the results of the hardware scan.
       ./nuc
 
-      <stockholm/makefu/2configs/home-manager>
-      <stockholm/makefu/2configs/support-nixos.nix>
-      <stockholm/makefu/2configs/zsh-user.nix>
-      <stockholm/makefu/2configs/tools/core.nix>
-      # <stockholm/makefu/2configs/disable_v6.nix>
-      <stockholm/makefu/2configs/tools/core-gui.nix>
-      <stockholm/makefu/2configs/tools/extra-gui.nix>
-      <stockholm/makefu/2configs/tools/media.nix>
-      # <stockholm/makefu/2configs/virtualisation/libvirt.nix>
-      # <stockholm/makefu/2configs/virtualisation/virtualbox.nix>
-      <stockholm/makefu/2configs/tinc/retiolum.nix>
-      <stockholm/makefu/2configs/gui/wbob-kiosk.nix>
+      ../../2configs/home-manager
+      ../../2configs/support-nixos.nix
+      ../../2configs/zsh-user.nix
+      ../../2configs/tools/core.nix
+      # ../../2configs/disable_v6.nix
+      ../../2configs/tools/core-gui.nix
+      ../../2configs/tools/extra-gui.nix
+      ../../2configs/tools/media.nix
+      # ../../2configs/virtualisation/libvirt.nix
+      # ../../2configs/virtualisation/virtualbox.nix
+
+      # ../../2configs/tinc/retiolum.nix
+      ../../2configs/gui/wbob-kiosk.nix
       { environment.systemPackages = with pkgs ;[
         nano
         guake
       ]; }
 
-      # <stockholm/makefu/2configs/gui/studio-virtual.nix>
-      # <stockholm/makefu/2configs/audio/jack-on-pulse.nix>
-      # <stockholm/makefu/2configs/audio/realtime-audio.nix>
-      # <stockholm/makefu/2configs/vncserver.nix>
+      # ../../2configs/gui/studio-virtual.nix
+      # ../../2configs/audio/jack-on-pulse.nix
+      # ../../2configs/audio/realtime-audio.nix
+      # ../../2configs/vncserver.nix
       ## no need for dns logs anymore
-      # <stockholm/makefu/2configs/logging/server.nix>
+      # ../../2configs/logging/server.nix
 
       # Services
-      # <stockholm/makefu/2configs/hydra/stockholm.nix>
+      # ../../2configs/hydra/stockholm.nix
 
-      <stockholm/makefu/2configs/share/wbob.nix>
-      <stockholm/makefu/2configs/wireguard/thierry.nix>
-      <stockholm/makefu/2configs/bluetooth-mpd.nix>
+      ../../2configs/share/wbob.nix
+      ../../2configs/wireguard/thierry.nix
+      ../../2configs/bluetooth-mpd.nix
 
       # Sensors
-      # <stockholm/makefu/2configs/stats/client.nix>
-      # <stockholm/makefu/2configs/stats/collectd-client.nix>
-      <stockholm/makefu/2configs/stats/telegraf>
-      <stockholm/makefu/2configs/stats/telegraf/airsensor.nix>
-      <stockholm/makefu/2configs/stats/telegraf/europastats.nix>
-      <stockholm/makefu/2configs/stats/external/aralast.nix>
-      <stockholm/makefu/2configs/stats/arafetch.nix>
-      # <stockholm/makefu/2configs/hw/mceusb.nix>
-      <stockholm/makefu/2configs/hw/slaesh.nix>
-      # <stockholm/makefu/2configs/stats/telegraf/bamstats.nix>
+      # ../../2configs/stats/client.nix
+      # ../../2configs/stats/collectd-client.nix
+      ../../2configs/stats/telegraf
+      ../../2configs/stats/telegraf/airsensor.nix
+      ../../2configs/stats/telegraf/europastats.nix
+      ../../2configs/stats/external/aralast.nix
+      ../../2configs/stats/arafetch.nix
+      # ../../2configs/hw/mceusb.nix
+      ../../2configs/hw/slaesh.nix
+      # ../../2configs/stats/telegraf/bamstats.nix
       { environment.systemPackages = [ pkgs.vlc ]; }
 
-      <stockholm/makefu/2configs/bureautomation> # new hass entry point
-      <stockholm/makefu/2configs/bureautomation/led-fader.nix>
-      <stockholm/makefu/2configs/bureautomation/printer.nix>
-      # <stockholm/makefu/2configs/bureautomation/kalauerbot.nix> now runs in thales
-      # <stockholm/makefu/2configs/bureautomation/visitor-photostore.nix>
-      # <stockholm/makefu/2configs/bureautomation/mpd.nix> #mpd is only used for TTS, this is the web interface
-      <stockholm/makefu/2configs/mqtt.nix>
+      ../../2configs/bureautomation # new hass entry point
+      ../../2configs/bureautomation/led-fader.nix
+      ../../2configs/bureautomation/printer.nix
+      # ../../2configs/bureautomation/kalauerbot.nix now runs in thales
+      # ../../2configs/bureautomation/visitor-photostore.nix
+      # ../../2configs/bureautomation/mpd.nix #mpd is only used for TTS, this is the web interface
+      ../../2configs/mqtt.nix
       {
         services.mjpg-streamer = {
           enable = true;
@@ -101,9 +102,9 @@ in {
           '';
       })
 
-      <stockholm/makefu/2configs/backup/state.nix>
+      ../../2configs/backup/state.nix
       # temporary
-      # <stockholm/makefu/2configs/temp/rst-issue.nix>
+      # ../../2configs/temp/rst-issue.nix
       {
         services.jellyfin.enable = true;
       }

2configs/default.nix

@@ -7,6 +7,7 @@ with lib;
     ./editor/vim.nix
     ./binary-cache/nixos.nix
     ./minimal.nix
+    ./secrets
     # ./security/hotfix.nix
   ];
 

2configs/stats/arafetch.nix

@@ -1,5 +1,5 @@
 { pkgs, lib, ...}:
-with import <stockholm/lib>;
+with pkgs.stockholm.lib;
 let
   pkg = with pkgs.python3Packages;buildPythonPackage rec {
     rev = "56d41de8219adc";

2configs/wireguard/thierry.nix

@@ -1,8 +1,9 @@
-{ lib, ... }:
+{ config, lib, ... }:
 {
+  sops.secrets."wg-thierry.key" = {};
   networking.wireguard.interfaces.thierry-wg = {
     ips = [ "172.27.66.10/24" ]; # TODO: not dnyamic
-    privateKeyFile = (toString <secrets>) + "/wg-thierry.key";
+    privateKeyFile = config.sops.secrets."wg-thierry.key".path;
     allowedIPsAsRoutes = true;
     # explicit route via eth0 to gum
     peers = [

flake.nix

@@ -24,10 +24,13 @@
     stockholm.url = "path:///home/makefu/stockholm-flakes";
     stockholm.inputs.nixpkgs.follows = "nixpkgs";
 
+    nix-writers.url = "git+http://cgit.krebsco.de/nix-writers";
+    nix-writers.inputs.nixpkgs.follows = "nixpkgs";
+
   };
   description = "Flakes of makefu";
 
-  outputs = { self, nixpkgs, disko, nixos-hardware, nix-ld, sops-nix, stockholm, home-manager, ...}@inputs: let
+  outputs = { self, nixpkgs, disko, nixos-hardware, nix-ld, sops-nix, stockholm, home-manager, nix-writers, ...}@inputs: let
       inherit (nixpkgs) lib;
   in {
     nixosModules =
@@ -39,14 +42,19 @@
           (lib.attrNames (builtins.readDir ./3modules))));
 
     overlays.default = import ./5pkgs/default.nix;
-    nixosConfigurations = lib.genAttrs ["x" "tsp" ] (host: nixpkgs.lib.nixosSystem rec {
+    nixosConfigurations = lib.genAttrs ["x" "tsp" "wbob" ] (host: nixpkgs.lib.nixosSystem rec {
       system = "x86_64-linux";
       specialArgs = {
         inherit (inputs) nixos-hardware self stockholm nixpkgs;
         pkgs = import nixpkgs {
           inherit system;
           config.allowUnfree = true;
-          overlays = [(self: super: { inherit (self.writers) writeDash writeDashBin; stockholm.lib = stockholm.lib; }) self.overlays.default] ;
+          overlays = [
+            (self: super: { inherit (self.writers) writeDash writeDashBin; stockholm.lib = stockholm.lib; })
+            self.overlays.default
+            stockholm.overlays.default
+            nix-writers.overlays.default
+          ] ;
         };
       };
       modules = [
@@ -64,6 +72,8 @@
         stockholm.nixosModules.sitemap
         stockholm.nixosModules.fetchWallpaper
         stockholm.nixosModules.git
+        stockholm.nixosModules.tinc
+        stockholm.nixosModules.systemd
 
         self.nixosModules.default
         #self.nixosModules.krebs