Add sops defaults

2025-09-01 16:06:04 +02:00 · 2025-09-01 16:06:04 +02:00 · 8cec9745da
commit 8cec9745da
parent 6b9c9dba92
27 changed files with 75 additions and 144 deletions
--- a/hosts/aluminium/configuration.nix
+++ b/hosts/aluminium/configuration.nix
@ -91,9 +91,6 @@
  };


-  sops.secrets.pap-secrets = {
-    sopsFile = ./secrets.yaml;
-  };
  environment.etc."ppp/pap-secrets".source = config.sops.secrets.pap-secrets.path;
  services.pppd = {
    enable = true;
--- a/hosts/aluminium/services/asterisk/default.nix
+++ b/hosts/aluminium/services/asterisk/default.nix
@ -152,7 +152,6 @@ in

  sops.secrets = lib.listToAttrs (map
    (name: lib.nameValuePair "asterisk-${name}" {
-      sopsFile = ../../secrets.yaml;
      owner = config.users.users.asterisk.name;
    })
    secretConfigFiles);
--- a/hosts/aluminium/services/doorbell.nix
+++ b/hosts/aluminium/services/doorbell.nix
@ -4,10 +4,7 @@ let
  inherit (config.networking) ports;
 in
 {
-  sops.secrets.myintercom-doorbell-password = {
-    sopsFile = ../secrets.yaml;
-    owner = "asterisk";
-  };
+  sops.secrets.myintercom-doorbell-password.owner = "asterisk";
  services.myintercom-doorbell = {
    enable = true;
    host = "sprechanlage.lan.kbh.jalr.de";
--- a/hosts/aluminium/services/dyndns.nix
+++ b/hosts/aluminium/services/dyndns.nix
@ -1,8 +1,5 @@
 { config, pkgs, ... }:
 {
-  sops.secrets.duckdns-secret = {
-    sopsFile = ../secrets.yaml;
-  };
  services.ddclient = {
    enable = true;
    interval = "1min";
--- a/hosts/aluminium/services/esphome/default.nix
+++ b/hosts/aluminium/services/esphome/default.nix
@ -6,10 +6,7 @@ let
  inherit (config.networking) ports;
 in
 {
-  sops.secrets.esphome = {
-    sopsFile = ../../secrets.yaml;
-    restartUnits = [ config.systemd.services.esphome.name ];
-  };
+  sops.secrets.esphome.restartUnits = [ config.systemd.services.esphome.name ];

  jalr.esphome = {
    enable = true;
--- a/hosts/copper/services/ntfy.nix
+++ b/hosts/copper/services/ntfy.nix
@ -1,6 +1,3 @@
 {
-  sops.secrets.ntfy_shiftphone = {
-    sopsFile = ../secrets.yaml;
-    owner = "jalr";
-  };
+  sops.secrets.ntfy_shiftphone.owner = "jalr";
 }
--- a/hosts/iron/services/calibre.nix
+++ b/hosts/iron/services/calibre.nix
@ -3,10 +3,7 @@ let
  inherit (config.networking) ports;
 in
 {
-  sops.secrets.calibre-htpasswd = {
-    owner = "nginx";
-    sopsFile = ../secrets.yaml;
-  };
+  sops.secrets.calibre-htpasswd.owner = "nginx";

  services = {
    calibre-server = {
--- a/hosts/iron/services/dyndns.nix
+++ b/hosts/iron/services/dyndns.nix
@ -3,9 +3,6 @@ let
  interfaces = import ../interfaces.nix;
 in
 {
-  sops.secrets.duckdns-secret = {
-    sopsFile = ../secrets.yaml;
-  };
  services.ddclient = {
    enable = true;
    interval = "1min";
--- a/hosts/iron/services/esphome/default.nix
+++ b/hosts/iron/services/esphome/default.nix
@ -6,10 +6,7 @@ let
  inherit (config.networking) ports;
 in
 {
-  sops.secrets.esphome = {
-    sopsFile = ../../secrets.yaml;
-    restartUnits = [ config.systemd.services.esphome.name ];
-  };
+  sops.secrets.esphome.restartUnits = [ config.systemd.services.esphome.name ];

  jalr.esphome = {
    enable = true;
--- a/hosts/iron/services/home-assistant.nix
+++ b/hosts/iron/services/home-assistant.nix
@ -5,19 +5,10 @@ let
  domain = "hass.jalr.de";
 in
 {
-  sops.secrets = {
-    home-assistant = {
-      sopsFile = ../secrets.yaml;
-      owner = "root";
-      group = "hass";
-      mode = "0640";
-    };
-    "mqtt-users/home-assistant" = {
-      sopsFile = ../secrets.yaml;
-    };
-    "mqtt-users/valetudo" = {
-      sopsFile = ../secrets.yaml;
-    };
+  sops.secrets.home-assistant = {
+    owner = "root";
+    group = "hass";
+    mode = "0640";
  };

  networking.firewall.interfaces = {
--- a/hosts/iron/services/mail.nix
+++ b/hosts/iron/services/mail.nix
@ -4,10 +4,7 @@ let
  inherit (config.networking) ports;
 in
 {
-  #sops.secrets."domain_key_jalr.de" = {
-  #  sopsFile = ../secrets.yaml;
-  #  owner = "rspamd";
-  #};
+  #sops.secrets."domain_key_jalr.de".owner = "rspamd";
  jalr = {
    mailserver = {
      enable = true;
--- a/hosts/iron/services/matrix.nix
+++ b/hosts/iron/services/matrix.nix
@ -6,12 +6,7 @@ let
  signalUser = "jalr";
 in
 {
-  sops.secrets = {
-    synapse-turn-shared-secret = {
-      owner = "matrix-synapse";
-      sopsFile = ../secrets.yaml;
-    };
-  };
+  sops.secrets.synapse-turn-shared-secret.owner = "matrix-synapse";
  jalr.matrix = {
    enable = true;
    fqdn = "matrix.jalr.de";
--- a/hosts/iron/services/navidrome.nix
+++ b/hosts/iron/services/navidrome.nix
@ -30,9 +30,6 @@ in
      LoadCredential = "PasswordEncryptionKey:${passwordEncryptionKeyFile}";
    };
  };
-  sops.secrets.navidrome-password-encryption-key = {
-    sopsFile = ../secrets.yaml;
-  };
  services.nginx.virtualHosts."navidrome.jalr.de" = {
    enableACME = true;
    forceSSL = true;
--- a/hosts/iron/services/photoprism.nix
+++ b/hosts/iron/services/photoprism.nix
@ -26,10 +26,6 @@ let
  '';
 in
 {
-  sops.secrets."photoprism/oidc-secret" = {
-    sopsFile = ../secrets.yaml;
-  };
-
  systemd.services.photoprism.serviceConfig.LoadCredential = lib.mkForce "PHOTOPRISM_OIDC_SECRET_FILE:${config.sops.secrets."photoprism/oidc-secret".path}";

  services.photoprism = {
--- a/hosts/iron/services/public-ip-tunnel.nix
+++ b/hosts/iron/services/public-ip-tunnel.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:

 let
  inherit (config.networking) ports;
@ -13,15 +13,6 @@ let
  };
 in
 {
-  sops.secrets = lib.listToAttrs (map
-    (name: lib.nameValuePair "wireguard_key_${name}" {
-      sopsFile = ../secrets.yaml;
-    })
-    [
-      "hetzner-ha"
-    ]
-  );
-
  networking = {
    iproute2 = {
      enable = true;
--- a/hosts/iron/services/radicale.nix
+++ b/hosts/iron/services/radicale.nix
@ -4,10 +4,7 @@ let
  inherit (config.networking) ports;
 in
 {
-  sops.secrets.radicale-htpasswd = {
-    owner = "nginx";
-    sopsFile = ../secrets.yaml;
-  };
+  sops.secrets.radicale-htpasswd.owner = "nginx";

  services.nginx.virtualHosts = {
    "cal.jalr.de" = {
--- a/hosts/iron/services/remarkable.nix
+++ b/hosts/iron/services/remarkable.nix
@ -16,7 +16,6 @@ let
 in
 {
  sops.secrets.rmfakecloud = {
-    sopsFile = ../secrets.yaml;
    owner = "root";
    group = "root";
    mode = "0400";
--- a/hosts/iron/services/swingmusic.nix
+++ b/hosts/iron/services/swingmusic.nix
@ -0,0 +1,4 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = [ pkgs.swingmusic ];
+}
--- a/hosts/iron/services/wireguard-esphome.nix
+++ b/hosts/iron/services/wireguard-esphome.nix
@ -5,10 +5,6 @@ let
  listenPort = ports.wireguard-esphome.udp;
 in
 {
-  sops.secrets."wireguard_key/esphome" = {
-    sopsFile = ../secrets.yaml;
-  };
-
  networking = {
    firewall.allowedUDPPorts = [ listenPort ];
    wireguard.interfaces.esphome = {
--- a/hosts/magnesium/services/coturn.nix
+++ b/hosts/magnesium/services/coturn.nix
@ -6,10 +6,7 @@ let
  inherit (config.networking) ports;
 in
 {
-  sops.secrets.turn-static-auth-secret = {
-    owner = "turnserver";
-    sopsFile = ../secrets.yaml;
-  };
+  sops.secrets.turn-static-auth-secret.owner = "turnserver";

  services.coturn = (
    if ports.coturn-plain.tcp != ports.coturn-plain.udp then builtins.abort "coturn: plain TCP and UDP ports must match."
--- a/hosts/magnesium/services/forgejo.nix
+++ b/hosts/magnesium/services/forgejo.nix
@ -5,10 +5,7 @@ let
  inherit (config.networking) ports;
 in
 {
-  sops.secrets.forgejo-mail = {
-    owner = cfg.user;
-    sopsFile = ../secrets.yaml;
-  };
+  sops.secrets.forgejo-mail.owner = cfg.user;
  services.forgejo = {
    enable = true;
    lfs.enable = true;
--- a/hosts/magnesium/services/gitlab-runner.nix
+++ b/hosts/magnesium/services/gitlab-runner.nix
@ -1,9 +1,6 @@
 { config, pkgs, ... }:

 {
-  sops.secrets.gitlab-runner_fablab-nea-hcloud-labsync = {
-    sopsFile = ../secrets.yaml;
-  };
  services.gitlab-runner = {
    enable = true;
    extraPackages = [
--- a/hosts/magnesium/services/hedgedoc.nix
+++ b/hosts/magnesium/services/hedgedoc.nix
@ -6,10 +6,7 @@ let
  inherit (config.networking) ports;
 in
 {
-  sops.secrets.hedgedoc-session-secret = {
-    owner = config.systemd.services.hedgedoc.serviceConfig.User;
-    sopsFile = ../secrets.yaml;
-  };
+  sops.secrets.hedgedoc-session-secret.owner = config.systemd.services.hedgedoc.serviceConfig.User;
  services = {
    hedgedoc = {
      enable = true;
--- a/hosts/magnesium/services/mealie.nix
+++ b/hosts/magnesium/services/mealie.nix
@ -5,10 +5,6 @@ let
  cfg = config.services.mealie;
 in
 {
-  sops.secrets.mealie = {
-    sopsFile = ../secrets.yaml;
-  };
-
  services.mealie = {
    enable = true;
    credentialsFile = config.sops.secrets.mealie.path;
--- a/hosts/magnesium/services/public-ip-tunnel.nix
+++ b/hosts/magnesium/services/public-ip-tunnel.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, ... }:

 let
  listenPort = ports.wireguard-public-ip-tunnel.udp;
@ -6,15 +6,6 @@ let
  inherit (config.networking) ports;
 in
 {
-  sops.secrets = lib.listToAttrs (map
-    (name: lib.nameValuePair "wireguard_key_${name}" {
-      sopsFile = ../secrets.yaml;
-    })
-    [
-      "hetzner-ha"
-    ]
-  );
-
  #boot.kernel.sysctl = {
  #  "net.ipv4.conf.all.forwarding" = 1;
  #  "net.ipv4.conf.hetzner-ha.proxy_arp" = 1;
--- a/hosts/magnesium/services/tandoor.nix
+++ b/hosts/magnesium/services/tandoor.nix
@ -7,10 +7,6 @@ let
  inherit (config.networking) ports;
 in
 {
-  sops.secrets."tandoor/secret_key" = {
-    sopsFile = ../secrets.yaml;
-  };
-
  services.tandoor-recipes = {
    enable = true;
    port = ports.tandoor.tcp;