refactor: centralize SOPS configuration in separate file

2025-09-03 14:22:01 +05:30
parent 3d2f53e8f5
commit be5b646ece
12 changed files with 39 additions and 30 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -306,6 +306,10 @@
      name = device.name;
      user = device.user;
      is = name: device.name == name;
+      home =
+        if isDarwin
+        then "/Users/${device.user}"
+        else "/home/${device.user}";
    };

    nixos_devices = nixpkgs.lib.attrsets.filterAttrs (n: x: x.isNix) devices;
@@ -373,6 +377,7 @@
          overlays = import ./overlays.nix {
            inherit inputs;
          };
+          config.allowUnfree = true;
        };
      in {
        packages = rec {
--- a/home/programs/ssh.nix
+++ b/home/programs/ssh.nix
@@ -6,7 +6,6 @@
 }: {
  programs.ssh = {
    enable = true;
-    enableDefaultConfig = false;
    matchBlocks = {
      tsuba = {
        user = "servius";
@@ -46,13 +45,13 @@
        hostname = "steamdeck";
        forwardAgent = true;
      };
-      "*" = {
-        forwardAgent = false;
-        addKeysToAgent = "no";
-        # compression = true;
-        # HashKnownHosts = "no";
-        serverAliveInterval = 60;
-      };
+      # "*" = {
+      #   forwardAgent = false;
+      #   addKeysToAgent = "no";
+      #   # compression = true;
+      #   # HashKnownHosts = "no";
+      #   serverAliveInterval = 60;
+      # };
    };
    extraConfig =
      lib.strings.optionalString (pkgs.stdenv.isDarwin && !device.isServer)
@@ -63,4 +62,7 @@
        IdentityAgent ~/.1password/agent.sock
      '';
  };
+  # // lib.mkIf (!(device.is "tsuba")) {
+  #   enableDefaultConfig = false;
+  # };
 }
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -20,7 +20,6 @@
          inputs.sops-nix.nixosModules.sops
          inputs.disko.nixosModules.disko
          {nixpkgs.overlays = overlays;}
-          ./${device.name}/configuration.nix
          home-manager.nixosModules.home-manager
          inputs.arion.nixosModules.arion
          # inputs.command-runner.nixosModules.command-runner
@@ -43,6 +42,8 @@
              ];
            };
          }
+          ../sops.nix
+          ./${device.name}/configuration.nix
        ];
      }
  )
--- a/nixos/mirai/configuration.nix
+++ b/nixos/mirai/configuration.nix
@@ -24,9 +24,6 @@

  security.sudo.wheelNeedsPassword = false;
  sops = {
-    defaultSopsFile = ../../secrets/secrets.yaml;
-    defaultSopsFormat = "yaml";
-    age.keyFile = "/home/fs0c131y/.config/sops/age/keys.txt";
    secrets."builder/mirai/cache/private" = {};
    secrets.users = {
      sopsFile = ../../secrets/users.yaml;
--- a/nixos/mirai/services/flaresolverr.nix
+++ b/nixos/mirai/services/flaresolverr.nix
@@ -1,7 +1,8 @@
-{...}: {
+{stablePkgs, ...}: {
  services = {
    flaresolverr = {
      enable = true;
+      package = stablePkgs.flaresolverr;
    };
  };
 }
--- a/nixos/mirai/services/llama.nix
+++ b/nixos/mirai/services/llama.nix
@@ -43,7 +43,7 @@
      };
    };
    open-webui = {
-      enable = true;
+      enable = false;
      port = 7070;
      environment = {
        SCARF_NO_ANALYTICS = "True";
--- a/nixos/mirai/services/lldap.nix
+++ b/nixos/mirai/services/lldap.nix
@@ -13,8 +13,8 @@
      http_port = 5090;
      ldap_port = 389;
      ldap_host = "::";
+      ldap_user_pass_file = config.sops.secrets."lldap/admin".path;
      environmentFile = ''
-        LLDAP_LDAP_USER_PASS_FILE = ${config.sops.secrets."lldap/admin".path};
        LLDAP_JWT_SECRET_FILE = ${config.sops.secrets."lldap/jwt".path};
        LLDAP_KEY_SEED_FILE = ${config.sops.secrets."lldap/seed".path};
      '';
--- a/nixos/ryu/configuration.nix
+++ b/nixos/ryu/configuration.nix
@@ -11,11 +11,11 @@
    ./containers
  ];

-  sops = {
-    defaultSopsFile = ../../secrets/secrets.yaml;
-    defaultSopsFormat = "yaml";
-    age.keyFile = "/home/${device.user}/.config/sops/age/keys.txt";
-  };
+  # sops = {
+  #   defaultSopsFile = ../../secrets/secrets.yaml;
+  #   defaultSopsFormat = "yaml";
+  #   age.keyFile = "/home/${device.user}/.config/sops/age/keys.txt";
+  # };

  security.tpm2 = {
    enable = true;
--- a/nixos/tsuba/configuration.nix
+++ b/nixos/tsuba/configuration.nix
@@ -13,11 +13,6 @@

  nixpkgs.config.allowUnfree = true;
  security.sudo.wheelNeedsPassword = false;
-  sops = {
-    defaultSopsFile = ../../secrets/secrets.yaml;
-    defaultSopsFormat = "yaml";
-    age.keyFile = "/home/servius/.config/sops/age/keys.txt";
-  };
  nix = {
    settings = {
      auto-optimise-store = true;
--- a/nixos/tsuba/default.nix
+++ b/nixos/tsuba/default.nix
@@ -49,6 +49,7 @@
          ./services
          ./disk-config.nix
          ./${name}.nix
+          ../../sops.nix
        ];
      }
  )
--- a/nixos/tsuba/services/caddy.nix
+++ b/nixos/tsuba/services/caddy.nix
@@ -31,11 +31,11 @@
            }
        }
      '';
-      # package = pkgs.caddy.withPlugins {
-      #   plugins = ["github.com/caddy-dns/hetzner@v1.0.0"];
-      #   hash = "sha256-9ea0CfOHG7JhejB73HjfXQpnonn+ZRBqLNz1fFRkcDQ=";
-      # };
-      package = pkgs.caddyWithHetzner;
+      package = pkgs.caddy.withPlugins {
+        plugins = ["github.com/caddy-dns/hetzner@v1.0.0"];
+        hash = "sha256-9ea0CfOHG7JhejB73HjfXQpnonn+ZRBqLNz1fFRkcDQ=";
+      };
+      # package = pkgs.caddyWithHetzner;
    };
  };
  systemd.services.caddy = {
--- a/sops.nix
+++ b/sops.nix
@@ -0,0 +1,7 @@
+{device, ...}: {
+  sops = {
+    defaultSopsFile = secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
+    age.keyFile = "${device.home}/.config/sops/age/keys.txt";
+  };
+}