Move sopsDefaultFile into hosts

flake.nix

@@ -440,9 +440,6 @@
           modules = [
             self.nixosModules.microvm
             ./hosts/broker
-            {
-              sops.defaultSopsFile = ./hosts/broker/secrets.yaml;
-            }
           ];
         };
 
@@ -454,7 +451,6 @@
               nixpkgs.overlays = with secrets.overlays; [
                 freifunk ospf
               ];
-              sops.defaultSopsFile = ./hosts/freifunk/secrets.yaml;
             }
           ];
         };
@@ -479,18 +475,12 @@
             nixos-hardware.nixosModules.common-cpu-intel
             nixos-hardware.nixosModules.common-pc-ssd
             secrets.nixosModules.admins
-            {
-              sops.defaultSopsFile = ./hosts/glotzbert/secrets.yaml;
-            }
           ];
         };
 
         hedgedoc = nixosSystem' {
           modules = [
             self.nixosModules.microvm
-            {
-              sops.defaultSopsFile = ./hosts/hedgedoc/secrets.yaml;
-            }
             ./hosts/hedgedoc
           ];
           nixpkgs = inputs.nixos-unstable-sandro;
@@ -509,7 +499,6 @@
             ({ modulesPath, ... }:
             {
               nixpkgs.overlays = [ heliwatch.overlay ];
-              sops.defaultSopsFile = ./hosts/radiobert/secrets.yaml;
             })
             ./hosts/radiobert
           ];
@@ -570,7 +559,6 @@
             ./hosts/dn42
             {
               nixpkgs.overlays = [ secrets.overlays.dn42 ];
-              sops.defaultSopsFile = ./hosts/dn42/secrets.yaml;
             }
           ];
         };
@@ -591,7 +579,6 @@
                 inherit self;
                 inherit (inputs) hydra-ca;
               };
-              sops.defaultSopsFile = ./hosts/hydra/secrets.yaml;
             }
           ];
         };
@@ -685,9 +672,6 @@
             self.nixosModules.plume
             self.nixosModules.microvm
             ./hosts/blogs
-            {
-              sops.defaultSopsFile = ./hosts/blogs/secrets.yaml;
-            }
           ];
         };
 
@@ -717,7 +701,6 @@
             ./hosts/oparl
             {
               _module.args = { inherit oparl-scraper; };
-              sops.defaultSopsFile = ./hosts/oparl/secrets.yaml;
             }
           ];
         };
@@ -759,9 +742,6 @@
           modules = [
             self.nixosModules.microvm
             ./hosts/mediawiki
-            {
-              sops.defaultSopsFile = ./hosts/mediawiki/secrets.yaml;
-            }
           ];
           nixpkgs = nixos-unstable;
         };

hosts/blogs/default.nix

@@ -19,10 +19,13 @@
     envFile = config.sops.secrets."plume/env".path;
   };
 
-  sops.secrets = {
+  sops = {
-    "plume/env".owner = config.systemd.services.plume.serviceConfig.User;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      "plume/env".owner = config.systemd.services.plume.serviceConfig.User;
+    };
   };
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
   services.nginx.enable = true;
   services.nginx.virtualHosts."blogs.c3d2.de" = {

hosts/broker/default.nix

@@ -118,6 +118,7 @@ in
 
   sops = {
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ./secrets.yaml;
     secrets = let
       perms = {
         owner = config.systemd.services.mosquitto.serviceConfig.User;

hosts/dn42/default.nix

@@ -37,18 +37,21 @@ in {
 
   # SSH for deployment
   services.openssh.enable = true;
-  sops.secrets = builtins.foldl' (result: name:
+  sops = {
-    let
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-      conf = neighbors.${name};
+    defaultSopsFile = ./secrets.yaml;
-    in result // (
+    secrets = builtins.foldl' (result: name:
-      if conf ? openvpn
+      let
-      then { "neighbors/${name}/openvpn/key" = {}; }
+        conf = neighbors.${name};
-      else if conf ? wireguard
+      in result // (
-      then { "neighbors/${name}/wireguard/privateKey" = {}; }
+        if conf ? openvpn
-      else {}
+        then { "neighbors/${name}/openvpn/key" = {}; }
-    )
+        else if conf ? wireguard
-  ) {} (builtins.attrNames neighbors);
+        then { "neighbors/${name}/wireguard/privateKey" = {}; }
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+        else {}
+      )
+    ) {} (builtins.attrNames neighbors);
+  };
 
   boot.kernel.sysctl = {
     "net.ipv4.conf.all.forwarding" = true;

hosts/freifunk/default.nix

@@ -94,11 +94,14 @@ in {
 
   environment.systemPackages = with pkgs; [ tcpdump bmon wireguard-tools iperf bmxd ];
 
-  sops.secrets."wireguard/vpn6/privateKey" = {
+  sops = {
-    group = "systemd-network";
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    mode = "0440";
+    defaultSopsFile = ./secrets.yaml;
+    secrets."wireguard/vpn6/privateKey" = {
+      group = "systemd-network";
+      mode = "0440";
+    };
   };
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
   # unbreak wg-vpn6 ingress path
   boot.kernel.sysctl."net.ipv4.conf.core.rp_filter" = 0;

hosts/glotzbert/default.nix

@@ -18,7 +18,10 @@
     maxJobs = 4;
   };
 
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ./secrets.yaml;
+  };
 
   boot = {
     loader = {

hosts/hedgedoc/default.nix

@@ -89,6 +89,7 @@
 
   sops = {
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ./secrets.yaml;
     secrets = {
       "hedgedoc".owner = config.systemd.services.hedgedoc.serviceConfig.User;
     };

hosts/hydra/hydra.nix

@@ -132,7 +132,10 @@
     resolved.enable = false;
   };
 
-  sops.secrets."nix-serve/secretKey".mode = "0444";
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets."nix-serve/secretKey".mode = "0444";
+  };
 
   systemd.services = {
     hydra-evaluator.serviceConfig = {

hosts/mediawiki/default.nix

@@ -34,21 +34,23 @@
 
   system.stateVersion = "22.05";
 
-  sops.secrets = {
+  sops = {
-    "mediawiki/adminPassword" = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-      owner = config.systemd.services.mediawiki-init.serviceConfig.User;
+    defaultSopsFile = ./hosts/mediawiki/secrets.yaml;
-    };
+    secrets = {
-    "mediawiki/upgradeKey" = {
+      "mediawiki/adminPassword" = {
-      owner = config.systemd.services.mediawiki-init.serviceConfig.User;
+        owner = config.systemd.services.mediawiki-init.serviceConfig.User;
-    };
+      };
-    "mediawiki/secretKey" = {
+      "mediawiki/upgradeKey" = {
-      owner = config.systemd.services.mediawiki-init.serviceConfig.User;
+        owner = config.systemd.services.mediawiki-init.serviceConfig.User;
-      path = "/var/lib/mediawiki/secret.key";
+      };
+      "mediawiki/secretKey" = {
+        owner = config.systemd.services.mediawiki-init.serviceConfig.User;
+        path = "/var/lib/mediawiki/secret.key";
+      };
     };
   };
 
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-
   services.logrotate.checkConfig = false;
 
   services.mediawiki =

hosts/oparl/default.nix

@@ -23,7 +23,11 @@ in
     "C ${config.users.users.oparl.home}/.ssh/id_ed25519 0400 oparl oparl - ${config.sops.secrets."users/oparl/id_ed25519".path}"
     "z ${config.users.users.oparl.home}/.ssh/id_ed25519 0400 oparl oparl - -"
   ];
-  sops.secrets."users/oparl/id_ed25519" = {};
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets."users/oparl/id_ed25519" = {};
+  };
 
   systemd.services.oparl-scraper = {
     wantedBy = [ "multi-user.target" ];

hosts/radiobert/default.nix

@@ -91,7 +91,10 @@
     maxJobs = 2;
   };
 
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ./secrets.yaml;
+  };
 
   networking = {
     hostName = "radiobert"; # Define your hostname.