secrets: move secrets to global namespace if not host-specific

2023-10-02 00:26:44 +02:00 · 2023-10-02 00:26:44 +02:00 · 9bafbb859f
parent 9813625a1b
commit 9bafbb859f
8 changed files with 13 additions and 21 deletions
--- a/2configs/backup/state.nix
+++ b/2configs/backup/state.nix
@ -1,13 +1,10 @@
 { config, ... }:
 # back up all state
 let
-  sshkey = config.sops.secrets."borg.priv".path;
-  phrase = config.sops.secrets."borg.pw".path;
+  sshkey = config.sops.secrets."${config.clanCore.machineName}-borg.priv".path;
+  phrase = config.sops.secrets."${config.clanCore.machineName}-borg.pw".path;
 in
 {
-  sops.secrets."borg.priv" = {};
-  sops.secrets."borg.pw" = {};
-
  services.borgbackup.jobs.state = {
    repo = "borg-${config.krebs.build.host.name}@backup.makefu.r:.";
    paths = config.state;
--- a/2configs/bam/ha-ara-menu.nix
+++ b/2configs/bam/ha-ara-menu.nix
@ -3,7 +3,6 @@ let
  pkg = pkgs.ha-ara-menu;
 in 
  { 
-  users.groups.ara-secrets = {};
  sops.secrets.aramarkconfig = {
    mode = "0440";
    group = config.users.groups.ara-secrets.name;
--- a/2configs/nginx/dl.euer.krebsco.de.nix
+++ b/2configs/nginx/dl.euer.krebsco.de.nix
@ -1,8 +1,8 @@
 { config, lib, pkgs, ... }:

 {
-  sops.secrets."dl.euer.krebsco.de-auth" = {};
-  sops.secrets."dl.gum-auth" = {};
+  sops.secrets."dl.euer.krebsco.de-auth" = { owner = "nginx"; };
+  sops.secrets."dl.gum-auth" = { owner = "nginx"; };
  users.groups.download.members = [ "nginx" ];
  services.nginx = {
    enable = lib.mkDefault true;
--- a/2configs/secrets/user-passwords.nix
+++ b/2configs/secrets/user-passwords.nix
@ -3,18 +3,16 @@
  imports = [ ./default.nix ];

  sops.secrets = {
-    "passwd/makefu" = {
+    "passwd-makefu" = {
      neededForUsers = true;
-      sopsFile = ../../secrets/common.yaml;
    };
-    "passwd/root" = {
+    "passwd-root" = {
      neededForUsers = true;
-      sopsFile = ../../secrets/common.yaml;
    };
  };

  users.users = {
-    makefu.passwordFile = config.sops.secrets."passwd/makefu".path;
-    root.passwordFile = config.sops.secrets."passwd/root".path;
+    makefu.passwordFile = config.sops.secrets."passwd-makefu".path;
+    root.passwordFile = config.sops.secrets."passwd-root".path;
  };
 }
--- a/2configs/secrets/wbob-users.nix
+++ b/2configs/secrets/wbob-users.nix
@ -1,8 +1,8 @@
 { config, lib, ... }:
 {
-  sops.secrets."passwd/kiosk".neededForUsers = true;
+  sops.secrets."wbob-passwd-kiosk".neededForUsers = true;

-  users.users.kiosk.passwordFile = config.sops.secrets."passwd/kiosk".path;
+  users.users.kiosk.passwordFile = config.sops.secrets."wbob-passwd-kiosk".path;
  # override the password for root@wbob to the kiosk password
-  users.users.root.passwordFile = lib.mkForce config.sops.secrets."passwd/kiosk".path;
+  users.users.root.passwordFile = lib.mkForce config.sops.secrets."wbob-passwd-kiosk".path;
 }
--- a/2configs/sshd-totp.nix
+++ b/2configs/sshd-totp.nix
@ -6,7 +6,6 @@
 ## scan the qrcode with google authenticator (or FreeOTP)
 ## copy last line into secrets/<host>/users.oath (chmod 700)
 {
-  sops.secrets."users.oath" = {};
  security.pam.oath = {
    # enabling it will make it a requisite of `all` services
    # enable = true;
--- a/2configs/stats/telegraf/hamstats.nix
+++ b/2configs/stats/telegraf/hamstats.nix
@ -56,9 +56,8 @@ let
      (esensor room name ''${room}_${name}_pressure'')
    ];
 in {
-  sops.secrets."mqtt/stats.env" = {};
  services.telegraf.environmentFiles = [
-    config.sops.secrets."mqtt/stats.env".path
+    config.sops.secrets."omo-mqtt-stats.env".path
  ];
  services.telegraf.extraConfig.inputs.mqtt_consumer =
       (zigbee_temphum "Wohnzimmer" "temp1")
--- a/2configs/wireguard/wiregrill.nix
+++ b/2configs/wireguard/wiregrill.nix
@ -1,5 +1,5 @@

-{ config, pkgs, lib, ... }: with lib; with pkgs.stockholm.lib;
+{ config, pkgs, lib, ... }: with lib; 
 let

  self = config.krebs.build.host.nets.wiregrill;