From 01e86db54c2f3aa3bb9b9fae1294b4e5bfec8155 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= <motiejus@jakstys.lt>
Date: Tue, 27 Aug 2024 08:50:57 +0300
Subject: [PATCH] move secrets from flake.nix to host config

---
 flake.nix                         | 49 -------------------------------
 hosts/fra1-b/configuration.nix    | 14 ++++++---
 hosts/fwminex/configuration.nix   | 25 +++++++++++++---
 hosts/mtworx/configuration.nix    | 15 ++++++++--
 hosts/vno1-gdrx/configuration.nix | 15 ++++++++--
 5 files changed, 55 insertions(+), 63 deletions(-)

diff --git a/flake.nix b/flake.nix
index 60e3453..e9b20d2 100644
--- a/flake.nix
+++ b/flake.nix
@@ -142,18 +142,7 @@
             home-manager.nixosModules.home-manager
             nixos-hardware.nixosModules.lenovo-thinkpad-x1-11th-gen
             nix-index-database.nixosModules.nix-index
-
             agenix.nixosModules.default
-            {
-              age.secrets = {
-                motiejus-work-passwd-hash.file = ./secrets/motiejus_work_passwd_hash.age;
-                root-work-passwd-hash.file = ./secrets/root_work_passwd_hash.age;
-                sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
-
-                syncthing-key.file = ./secrets/mtworx/syncthing/key.pem.age;
-                syncthing-cert.file = ./secrets/mtworx/syncthing/cert.pem.age;
-              };
-            }
           ];
 
           specialArgs = {
@@ -170,24 +159,6 @@
             nixos-hardware.nixosModules.framework-12th-gen-intel
 
             agenix.nixosModules.default
-            {
-              age.secrets = {
-                motiejus-server-passwd-hash.file = ./secrets/motiejus_server_passwd_hash.age;
-                root-server-passwd-hash.file = ./secrets/root_server_passwd_hash.age;
-                sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
-                headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
-                borgbackup-password.file = ./secrets/fwminex/borgbackup-password.age;
-                grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
-                letsencrypt-account-key.file = ./secrets/letsencrypt/account.key.age;
-                vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age;
-                photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age;
-                synapse-jakstys-signing-key.file = ./secrets/synapse/jakstys_lt_signing_key.age;
-                synapse-registration-shared-secret.file = ./secrets/synapse/registration_shared_secret.age;
-                synapse-macaroon-secret-key.file = ./secrets/synapse/macaroon_secret_key.age;
-                syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age;
-                syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age;
-              };
-            }
           ];
 
           specialArgs = {
@@ -204,16 +175,6 @@
             nix-index-database.nixosModules.nix-index
 
             agenix.nixosModules.default
-            {
-              age.secrets = {
-                motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
-                root-passwd-hash.file = ./secrets/root_passwd_hash.age;
-                sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
-
-                syncthing-key.file = ./secrets/vno1-gdrx/syncthing/key.pem.age;
-                syncthing-cert.file = ./secrets/vno1-gdrx/syncthing/cert.pem.age;
-              };
-            }
           ];
 
           specialArgs = {
@@ -254,18 +215,8 @@
             { nixpkgs.overlays = overlays; }
             agenix.nixosModules.default
             home-manager.nixosModules.home-manager
-
             ./hosts/fra1-b/configuration.nix
             ./modules
-
-            {
-              age.secrets = {
-                motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
-                root-passwd-hash.file = ./secrets/root_passwd_hash.age;
-                sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
-
-              };
-            }
           ];
 
           specialArgs = {
diff --git a/hosts/fra1-b/configuration.nix b/hosts/fra1-b/configuration.nix
index f07efc3..7871e69 100644
--- a/hosts/fra1-b/configuration.nix
+++ b/hosts/fra1-b/configuration.nix
@@ -10,10 +10,16 @@ in
 {
   imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
 
-  age.secrets.ssh8022-server = {
-    file = ../../secrets/ssh8022.age;
-    owner = "spiped";
-    path = "/var/lib/spiped/ssh8022.key";
+  age.secrets = {
+    motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
+    root-passwd-hash.file = ./secrets/root_passwd_hash.age;
+    sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
+    ssh8022-server = {
+      file = ../../secrets/ssh8022.age;
+      owner = "spiped";
+      path = "/var/lib/spiped/ssh8022.key";
+    };
+
   };
 
   boot = {
diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix
index 4a05059..4592978 100644
--- a/hosts/fwminex/configuration.nix
+++ b/hosts/fwminex/configuration.nix
@@ -13,10 +13,27 @@ in
     ../../modules/profiles/btrfs
   ];
 
-  age.secrets.ssh8022-server = {
-    file = ../../secrets/ssh8022.age;
-    owner = "spiped";
-    path = "/var/lib/spiped/ssh8022.key";
+  age.secrets = {
+    motiejus-server-passwd-hash.file = ./secrets/motiejus_server_passwd_hash.age;
+    root-server-passwd-hash.file = ./secrets/root_server_passwd_hash.age;
+    sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
+    headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
+    borgbackup-password.file = ./secrets/fwminex/borgbackup-password.age;
+    grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
+    letsencrypt-account-key.file = ./secrets/letsencrypt/account.key.age;
+    vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age;
+    photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age;
+    synapse-jakstys-signing-key.file = ./secrets/synapse/jakstys_lt_signing_key.age;
+    synapse-registration-shared-secret.file = ./secrets/synapse/registration_shared_secret.age;
+    synapse-macaroon-secret-key.file = ./secrets/synapse/macaroon_secret_key.age;
+    syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age;
+    syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age;
+
+    ssh8022-server = {
+      file = ../../secrets/ssh8022.age;
+      owner = "spiped";
+      path = "/var/lib/spiped/ssh8022.key";
+    };
   };
 
   boot = {
diff --git a/hosts/mtworx/configuration.nix b/hosts/mtworx/configuration.nix
index aae7787..52baca8 100644
--- a/hosts/mtworx/configuration.nix
+++ b/hosts/mtworx/configuration.nix
@@ -16,9 +16,18 @@ in
     ../../modules/profiles/btrfs
   ];
 
-  age.secrets.ssh8022-client = {
-    file = ../../secrets/ssh8022.age;
-    mode = "444";
+  age.secrets = {
+    motiejus-work-passwd-hash.file = ./secrets/motiejus_work_passwd_hash.age;
+    root-work-passwd-hash.file = ./secrets/root_work_passwd_hash.age;
+    sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
+
+    syncthing-key.file = ./secrets/mtworx/syncthing/key.pem.age;
+    syncthing-cert.file = ./secrets/mtworx/syncthing/cert.pem.age;
+
+    ssh8022-client = {
+      file = ../../secrets/ssh8022.age;
+      mode = "444";
+    };
   };
 
   boot = {
diff --git a/hosts/vno1-gdrx/configuration.nix b/hosts/vno1-gdrx/configuration.nix
index f7e7e19..191c894 100644
--- a/hosts/vno1-gdrx/configuration.nix
+++ b/hosts/vno1-gdrx/configuration.nix
@@ -10,9 +10,18 @@ in
     ../../modules/profiles/btrfs
   ];
 
-  age.secrets.ssh8022-client = {
-    file = ../../secrets/ssh8022.age;
-    mode = "444";
+  age.secrets = {
+    motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
+    root-passwd-hash.file = ./secrets/root_passwd_hash.age;
+    sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
+
+    syncthing-key.file = ./secrets/vno1-gdrx/syncthing/key.pem.age;
+    syncthing-cert.file = ./secrets/vno1-gdrx/syncthing/cert.pem.age;
+
+    ssh8022-client = {
+      file = ../../secrets/ssh8022.age;
+      mode = "444";
+    };
   };
 
   boot = {