secrets: move the actual secrets with hosts config

Having the secrets closer to the host is easier to manage. At the moment
I don't have secrets that are shared across multiple hosts, so that's an
OK approach.

2 files changed, 12 insertions, 11 deletions

diff --git a/modules/secrets/network/aptos/wireguard_privatekey.age b/hosts/aptos/secrets/wireguard_privatekey.age
index 2f6edf3..2f6edf3 100644
--- a/modules/secrets/network/aptos/wireguard_privatekey.age
+++ b/hosts/aptos/secrets/wireguard_privatekey.age
Binary files differdiff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index 556bf32..20dbfd2 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -1,22 +1,23 @@
 { config, inputs, lib, options, ... }:
-with builtins; {
+with builtins;
+with lib;
+let
+  secretsDir = "${toString ../../hosts}/${config.networking.hostName}/secrets";
+  secretsFile = "${secretsDir}/secrets.nix";
+in {
   imports = [ inputs.agenix.nixosModules.age ];
 
   config.age = {
     secrets = let
-      toName = lib.removeSuffix ".age";
       userExists = u: builtins.hasAttr u config.users.users;
       # Only set the user if it exists, to avoid warnings
       userIfExists = u: if userExists u then u else "root";
-      toSecret = name:
-        { owner ? "root", ... }: {
-          file = ./. + "/${name}";
-          owner = lib.mkDefault (userIfExists owner);
-        };
-      convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
-      secrets = import ./secrets.nix;
-    in lib.mapAttrs' convertSecrets secrets;
-
+    in if pathExists secretsFile then
+      mapAttrs' (n: _:
+        nameValuePair (removeSuffix ".age" n) { file = "${secretsDir}/${n}"; })
+      (import secretsFile)
+    else
+      { };
     identityPaths = options.age.identityPaths.default ++ (filter pathExists
       [ "${config.users.users.fcuny.home}/.ssh/id_ed25519" ]);
   };