From 9bafbb859f773a0e729ae8ad31f764066a6ba26d Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 2 Oct 2023 00:26:44 +0200
Subject: [PATCH] secrets: move secrets to global namespace if not
 host-specific

---
 2configs/backup/state.nix             |  7 ++-----
 2configs/bam/ha-ara-menu.nix          |  1 -
 2configs/nginx/dl.euer.krebsco.de.nix |  4 ++--
 2configs/secrets/user-passwords.nix   | 10 ++++------
 2configs/secrets/wbob-users.nix       |  6 +++---
 2configs/sshd-totp.nix                |  1 -
 2configs/stats/telegraf/hamstats.nix  |  3 +--
 2configs/wireguard/wiregrill.nix      |  2 +-
 8 files changed, 13 insertions(+), 21 deletions(-)

diff --git a/2configs/backup/state.nix b/2configs/backup/state.nix
index 2dc8324..9f8dfc8 100644
--- a/2configs/backup/state.nix
+++ b/2configs/backup/state.nix
@@ -1,13 +1,10 @@
 { config, ... }:
 # back up all state
 let
-  sshkey = config.sops.secrets."borg.priv".path;
-  phrase = config.sops.secrets."borg.pw".path;
+  sshkey = config.sops.secrets."${config.clanCore.machineName}-borg.priv".path;
+  phrase = config.sops.secrets."${config.clanCore.machineName}-borg.pw".path;
 in
 {
-  sops.secrets."borg.priv" = {};
-  sops.secrets."borg.pw" = {};
-
   services.borgbackup.jobs.state = {
     repo = "borg-${config.krebs.build.host.name}@backup.makefu.r:.";
     paths = config.state;
diff --git a/2configs/bam/ha-ara-menu.nix b/2configs/bam/ha-ara-menu.nix
index 2ec0945..889575b 100644
--- a/2configs/bam/ha-ara-menu.nix
+++ b/2configs/bam/ha-ara-menu.nix
@@ -3,7 +3,6 @@ let
   pkg = pkgs.ha-ara-menu;
 in 
   { 
-  users.groups.ara-secrets = {};
   sops.secrets.aramarkconfig = {
     mode = "0440";
     group = config.users.groups.ara-secrets.name;
diff --git a/2configs/nginx/dl.euer.krebsco.de.nix b/2configs/nginx/dl.euer.krebsco.de.nix
index fd2515c..1dc3549 100644
--- a/2configs/nginx/dl.euer.krebsco.de.nix
+++ b/2configs/nginx/dl.euer.krebsco.de.nix
@@ -1,8 +1,8 @@
 { config, lib, pkgs, ... }:
 
 {
-  sops.secrets."dl.euer.krebsco.de-auth" = {};
-  sops.secrets."dl.gum-auth" = {};
+  sops.secrets."dl.euer.krebsco.de-auth" = { owner = "nginx"; };
+  sops.secrets."dl.gum-auth" = { owner = "nginx"; };
   users.groups.download.members = [ "nginx" ];
   services.nginx = {
     enable = lib.mkDefault true;
diff --git a/2configs/secrets/user-passwords.nix b/2configs/secrets/user-passwords.nix
index 776d083..6bb7a22 100644
--- a/2configs/secrets/user-passwords.nix
+++ b/2configs/secrets/user-passwords.nix
@@ -3,18 +3,16 @@
   imports = [ ./default.nix ];
 
   sops.secrets = {
-    "passwd/makefu" = {
+    "passwd-makefu" = {
       neededForUsers = true;
-      sopsFile = ../../secrets/common.yaml;
     };
-    "passwd/root" = {
+    "passwd-root" = {
       neededForUsers = true;
-      sopsFile = ../../secrets/common.yaml;
     };
   };
 
   users.users = {
-    makefu.passwordFile = config.sops.secrets."passwd/makefu".path;
-    root.passwordFile = config.sops.secrets."passwd/root".path;
+    makefu.passwordFile = config.sops.secrets."passwd-makefu".path;
+    root.passwordFile = config.sops.secrets."passwd-root".path;
   };
 }
diff --git a/2configs/secrets/wbob-users.nix b/2configs/secrets/wbob-users.nix
index 1320366..ec82bb3 100644
--- a/2configs/secrets/wbob-users.nix
+++ b/2configs/secrets/wbob-users.nix
@@ -1,8 +1,8 @@
 { config, lib, ... }:
 {
-  sops.secrets."passwd/kiosk".neededForUsers = true;
+  sops.secrets."wbob-passwd-kiosk".neededForUsers = true;
 
-  users.users.kiosk.passwordFile = config.sops.secrets."passwd/kiosk".path;
+  users.users.kiosk.passwordFile = config.sops.secrets."wbob-passwd-kiosk".path;
   # override the password for root@wbob to the kiosk password
-  users.users.root.passwordFile = lib.mkForce config.sops.secrets."passwd/kiosk".path;
+  users.users.root.passwordFile = lib.mkForce config.sops.secrets."wbob-passwd-kiosk".path;
 }
diff --git a/2configs/sshd-totp.nix b/2configs/sshd-totp.nix
index 9ebbe0d..931f0fd 100644
--- a/2configs/sshd-totp.nix
+++ b/2configs/sshd-totp.nix
@@ -6,7 +6,6 @@
 ## scan the qrcode with google authenticator (or FreeOTP)
 ## copy last line into secrets/<host>/users.oath (chmod 700)
 {
-  sops.secrets."users.oath" = {};
   security.pam.oath = {
     # enabling it will make it a requisite of `all` services
     # enable = true;
diff --git a/2configs/stats/telegraf/hamstats.nix b/2configs/stats/telegraf/hamstats.nix
index 887ffe7..03a4749 100644
--- a/2configs/stats/telegraf/hamstats.nix
+++ b/2configs/stats/telegraf/hamstats.nix
@@ -56,9 +56,8 @@ let
       (esensor room name ''${room}_${name}_pressure'')
     ];
 in {
-  sops.secrets."mqtt/stats.env" = {};
   services.telegraf.environmentFiles = [
-    config.sops.secrets."mqtt/stats.env".path
+    config.sops.secrets."omo-mqtt-stats.env".path
   ];
   services.telegraf.extraConfig.inputs.mqtt_consumer =
        (zigbee_temphum "Wohnzimmer" "temp1")
diff --git a/2configs/wireguard/wiregrill.nix b/2configs/wireguard/wiregrill.nix
index ec7c6f9..accf3d1 100644
--- a/2configs/wireguard/wiregrill.nix
+++ b/2configs/wireguard/wiregrill.nix
@@ -1,5 +1,5 @@
 
-{ config, pkgs, lib, ... }: with lib; with pkgs.stockholm.lib;
+{ config, pkgs, lib, ... }: with lib; 
 let
 
   self = config.krebs.build.host.nets.wiregrill;