diff --git a/flake.nix b/flake.nix index aff85a79..747ac675 100644 --- a/flake.nix +++ b/flake.nix @@ -440,9 +440,6 @@ modules = [ self.nixosModules.microvm ./hosts/broker - { - sops.defaultSopsFile = ./hosts/broker/secrets.yaml; - } ]; }; @@ -454,7 +451,6 @@ nixpkgs.overlays = with secrets.overlays; [ freifunk ospf ]; - sops.defaultSopsFile = ./hosts/freifunk/secrets.yaml; } ]; }; @@ -479,18 +475,12 @@ nixos-hardware.nixosModules.common-cpu-intel nixos-hardware.nixosModules.common-pc-ssd secrets.nixosModules.admins - { - sops.defaultSopsFile = ./hosts/glotzbert/secrets.yaml; - } ]; }; hedgedoc = nixosSystem' { modules = [ self.nixosModules.microvm - { - sops.defaultSopsFile = ./hosts/hedgedoc/secrets.yaml; - } ./hosts/hedgedoc ]; nixpkgs = inputs.nixos-unstable-sandro; @@ -509,7 +499,6 @@ ({ modulesPath, ... }: { nixpkgs.overlays = [ heliwatch.overlay ]; - sops.defaultSopsFile = ./hosts/radiobert/secrets.yaml; }) ./hosts/radiobert ]; @@ -570,7 +559,6 @@ ./hosts/dn42 { nixpkgs.overlays = [ secrets.overlays.dn42 ]; - sops.defaultSopsFile = ./hosts/dn42/secrets.yaml; } ]; }; @@ -591,7 +579,6 @@ inherit self; inherit (inputs) hydra-ca; }; - sops.defaultSopsFile = ./hosts/hydra/secrets.yaml; } ]; }; @@ -685,9 +672,6 @@ self.nixosModules.plume self.nixosModules.microvm ./hosts/blogs - { - sops.defaultSopsFile = ./hosts/blogs/secrets.yaml; - } ]; }; @@ -717,7 +701,6 @@ ./hosts/oparl { _module.args = { inherit oparl-scraper; }; - sops.defaultSopsFile = ./hosts/oparl/secrets.yaml; } ]; }; @@ -759,9 +742,6 @@ modules = [ self.nixosModules.microvm ./hosts/mediawiki - { - sops.defaultSopsFile = ./hosts/mediawiki/secrets.yaml; - } ]; nixpkgs = nixos-unstable; }; diff --git a/hosts/blogs/default.nix b/hosts/blogs/default.nix index 6bdedd6e..a45d968e 100644 --- a/hosts/blogs/default.nix +++ b/hosts/blogs/default.nix @@ -19,10 +19,13 @@ envFile = config.sops.secrets."plume/env".path; }; - sops.secrets = { - "plume/env".owner = config.systemd.services.plume.serviceConfig.User; + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ./secrets.yaml; + secrets = { + "plume/env".owner = config.systemd.services.plume.serviceConfig.User; + }; }; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; services.nginx.enable = true; services.nginx.virtualHosts."blogs.c3d2.de" = { diff --git a/hosts/broker/default.nix b/hosts/broker/default.nix index a5ec0c2b..b70a5128 100644 --- a/hosts/broker/default.nix +++ b/hosts/broker/default.nix @@ -118,6 +118,7 @@ in sops = { age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ./secrets.yaml; secrets = let perms = { owner = config.systemd.services.mosquitto.serviceConfig.User; diff --git a/hosts/dn42/default.nix b/hosts/dn42/default.nix index e19c7a65..879ca71d 100644 --- a/hosts/dn42/default.nix +++ b/hosts/dn42/default.nix @@ -37,18 +37,21 @@ in { # SSH for deployment services.openssh.enable = true; - sops.secrets = builtins.foldl' (result: name: - let - conf = neighbors.${name}; - in result // ( - if conf ? openvpn - then { "neighbors/${name}/openvpn/key" = {}; } - else if conf ? wireguard - then { "neighbors/${name}/wireguard/privateKey" = {}; } - else {} - ) - ) {} (builtins.attrNames neighbors); - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ./secrets.yaml; + secrets = builtins.foldl' (result: name: + let + conf = neighbors.${name}; + in result // ( + if conf ? openvpn + then { "neighbors/${name}/openvpn/key" = {}; } + else if conf ? wireguard + then { "neighbors/${name}/wireguard/privateKey" = {}; } + else {} + ) + ) {} (builtins.attrNames neighbors); + }; boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; diff --git a/hosts/freifunk/default.nix b/hosts/freifunk/default.nix index abe5be6c..e0df552c 100644 --- a/hosts/freifunk/default.nix +++ b/hosts/freifunk/default.nix @@ -94,11 +94,14 @@ in { environment.systemPackages = with pkgs; [ tcpdump bmon wireguard-tools iperf bmxd ]; - sops.secrets."wireguard/vpn6/privateKey" = { - group = "systemd-network"; - mode = "0440"; + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ./secrets.yaml; + secrets."wireguard/vpn6/privateKey" = { + group = "systemd-network"; + mode = "0440"; + }; }; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # unbreak wg-vpn6 ingress path boot.kernel.sysctl."net.ipv4.conf.core.rp_filter" = 0; diff --git a/hosts/glotzbert/default.nix b/hosts/glotzbert/default.nix index 1255cbaa..52388e7e 100644 --- a/hosts/glotzbert/default.nix +++ b/hosts/glotzbert/default.nix @@ -18,7 +18,10 @@ maxJobs = 4; }; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ./secrets.yaml; + }; boot = { loader = { diff --git a/hosts/hedgedoc/default.nix b/hosts/hedgedoc/default.nix index ece9ecd8..13a99167 100644 --- a/hosts/hedgedoc/default.nix +++ b/hosts/hedgedoc/default.nix @@ -89,6 +89,7 @@ sops = { age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ./secrets.yaml; secrets = { "hedgedoc".owner = config.systemd.services.hedgedoc.serviceConfig.User; }; diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix index 7801bfcb..0ffd1b9b 100644 --- a/hosts/hydra/hydra.nix +++ b/hosts/hydra/hydra.nix @@ -132,7 +132,10 @@ resolved.enable = false; }; - sops.secrets."nix-serve/secretKey".mode = "0444"; + sops = { + defaultSopsFile = ./secrets.yaml; + secrets."nix-serve/secretKey".mode = "0444"; + }; systemd.services = { hydra-evaluator.serviceConfig = { diff --git a/hosts/mediawiki/default.nix b/hosts/mediawiki/default.nix index e2c18899..dbcd6203 100644 --- a/hosts/mediawiki/default.nix +++ b/hosts/mediawiki/default.nix @@ -34,21 +34,23 @@ system.stateVersion = "22.05"; - sops.secrets = { - "mediawiki/adminPassword" = { - owner = config.systemd.services.mediawiki-init.serviceConfig.User; - }; - "mediawiki/upgradeKey" = { - owner = config.systemd.services.mediawiki-init.serviceConfig.User; - }; - "mediawiki/secretKey" = { - owner = config.systemd.services.mediawiki-init.serviceConfig.User; - path = "/var/lib/mediawiki/secret.key"; + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ./hosts/mediawiki/secrets.yaml; + secrets = { + "mediawiki/adminPassword" = { + owner = config.systemd.services.mediawiki-init.serviceConfig.User; + }; + "mediawiki/upgradeKey" = { + owner = config.systemd.services.mediawiki-init.serviceConfig.User; + }; + "mediawiki/secretKey" = { + owner = config.systemd.services.mediawiki-init.serviceConfig.User; + path = "/var/lib/mediawiki/secret.key"; + }; }; }; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - services.logrotate.checkConfig = false; services.mediawiki = diff --git a/hosts/oparl/default.nix b/hosts/oparl/default.nix index df882d95..32f1c6fb 100644 --- a/hosts/oparl/default.nix +++ b/hosts/oparl/default.nix @@ -23,7 +23,11 @@ in "C ${config.users.users.oparl.home}/.ssh/id_ed25519 0400 oparl oparl - ${config.sops.secrets."users/oparl/id_ed25519".path}" "z ${config.users.users.oparl.home}/.ssh/id_ed25519 0400 oparl oparl - -" ]; - sops.secrets."users/oparl/id_ed25519" = {}; + + sops = { + defaultSopsFile = ./secrets.yaml; + secrets."users/oparl/id_ed25519" = {}; + }; systemd.services.oparl-scraper = { wantedBy = [ "multi-user.target" ]; diff --git a/hosts/radiobert/default.nix b/hosts/radiobert/default.nix index ce8c6f29..7112a66f 100644 --- a/hosts/radiobert/default.nix +++ b/hosts/radiobert/default.nix @@ -91,7 +91,10 @@ maxJobs = 2; }; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = ./secrets.yaml; + }; networking = { hostName = "radiobert"; # Define your hostname.