From 5e4d8a007254b9811c86b2ea142a280c9828271d Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Wed, 13 Apr 2022 10:23:20 -0700
Subject: secrets: move the actual secrets with hosts config

Having the secrets closer to the host is easier to manage. At the moment
I don't have secrets that are shared across multiple hosts, so that's an
OK approach.
---
 modules/secrets/default.nix                        |  23 +++++++++++----------
 .../secrets/network/aptos/wireguard_privatekey.age | Bin 467 -> 0 bytes
 2 files changed, 12 insertions(+), 11 deletions(-)
 delete mode 100644 modules/secrets/network/aptos/wireguard_privatekey.age

(limited to 'modules')

diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index 556bf32..20dbfd2 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -1,22 +1,23 @@
 { config, inputs, lib, options, ... }:
-with builtins; {
+with builtins;
+with lib;
+let
+  secretsDir = "${toString ../../hosts}/${config.networking.hostName}/secrets";
+  secretsFile = "${secretsDir}/secrets.nix";
+in {
   imports = [ inputs.agenix.nixosModules.age ];
 
   config.age = {
     secrets = let
-      toName = lib.removeSuffix ".age";
       userExists = u: builtins.hasAttr u config.users.users;
       # Only set the user if it exists, to avoid warnings
       userIfExists = u: if userExists u then u else "root";
-      toSecret = name:
-        { owner ? "root", ... }: {
-          file = ./. + "/${name}";
-          owner = lib.mkDefault (userIfExists owner);
-        };
-      convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
-      secrets = import ./secrets.nix;
-    in lib.mapAttrs' convertSecrets secrets;
-
+    in if pathExists secretsFile then
+      mapAttrs' (n: _:
+        nameValuePair (removeSuffix ".age" n) { file = "${secretsDir}/${n}"; })
+      (import secretsFile)
+    else
+      { };
     identityPaths = options.age.identityPaths.default ++ (filter pathExists
       [ "${config.users.users.fcuny.home}/.ssh/id_ed25519" ]);
   };
diff --git a/modules/secrets/network/aptos/wireguard_privatekey.age b/modules/secrets/network/aptos/wireguard_privatekey.age
deleted file mode 100644
index 2f6edf3..0000000
Binary files a/modules/secrets/network/aptos/wireguard_privatekey.age and /dev/null differ
-- 
cgit 1.4.1