Refactor secrets

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-24 11:01:47 +01:00
parent ba55a766ec
commit 15bf209e8c
62 changed files with 214 additions and 158 deletions
--- a/hosts/common/configs/system/nix-install/install.sh
+++ b/hosts/common/configs/system/nix-install/install.sh
@@ -51,7 +51,7 @@ check_key() {
 set_password_file() {
  SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
  export SOPS_AGE_KEY_FILE
-  sops --decrypt --extract "['luks']" "$flake/hosts/$host/secrets/secrets.yaml" > /tmp/keyfile
+  sops --decrypt --extract "['luks']" "$flake/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile
  unset SOPS_AGE_KEY_FILE
 }

@@ -64,7 +64,7 @@ prepare_disk() {

 copy_keys() {
  mkdir -p "$root/persist/state/etc/ssh"
-  cp -f "$flake/hosts/$host/secrets/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
+  cp -f "$flake/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"

  for path in "$flake/hosts/$host/users"/*; do
    if [[ -z "$key" ]]; then
--- a/hosts/common/configs/system/nix/default.nix
+++ b/hosts/common/configs/system/nix/default.nix
@@ -2,10 +2,8 @@
 {
  sops = {
    secrets = {
-      "git/credentials/github.com/public/username".sopsFile =
-        ../../../../../secrets/personal/secrets.yaml;
-      "git/credentials/github.com/public/password".sopsFile =
-        ../../../../../secrets/personal/secrets.yaml;
+      "git/credentials/github.com/public/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+      "git/credentials/github.com/public/password".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
    };

    templates.nix-access-tokens = {
--- a/hosts/common/configs/system/sops/default.nix
+++ b/hosts/common/configs/system/sops/default.nix
@@ -18,7 +18,7 @@
  };

  sops = {
-    defaultSopsFile = ../../../../. + "/${config.networking.hostName}/secrets/secrets.yaml";
+    defaultSopsFile = "${inputs.secrets}/hosts/${config.networking.hostName}/secrets.yaml";

    age = {
      generateKey = true;
--- a/hosts/common/configs/system/ssh/default.nix
+++ b/hosts/common/configs/system/ssh/default.nix
@@ -1,22 +1,22 @@
-{ ... }:
+{ inputs, ... }:
 {
  programs.ssh.knownHosts = {
-    installer.publicKeyFile = ../../../../installer/secrets/ssh_host_ed25519_key.pub;
-    elara.publicKeyFile = ../../../../elara/secrets/ssh_host_ed25519_key.pub;
-    himalia.publicKeyFile = ../../../../himalia/secrets/ssh_host_ed25519_key.pub;
+    installer.publicKeyFile = "${inputs.secrets}/hosts/installer/ssh_host_ed25519_key.pub";
+    elara.publicKeyFile = "${inputs.secrets}/hosts/elara/ssh_host_ed25519_key.pub";
+    himalia.publicKeyFile = "${inputs.secrets}/hosts/himalia/ssh_host_ed25519_key.pub";

    jupiter = {
-      publicKeyFile = ../../../../jupiter/secrets/ssh_host_ed25519_key.pub;
+      publicKeyFile = "${inputs.secrets}/hosts/jupiter/ssh_host_ed25519_key.pub";
      extraHostNames = [ "karaolidis.com" ];
    };

    jupiter-sish = {
-      publicKeyFile = ../../../../jupiter/users/storm/configs/console/podman/sish/ssh_host_ed25519_key.pub;
+      publicKeyFile = "${inputs.secrets}/hosts/jupiter/ssh_sish_ed25519_key.pub";
      extraHostNames = [ "karaolidis.com" ];
    };

    jupiter-vps = {
-      publicKeyFile = ../../../../jupiter-vps/secrets/ssh_host_ed25519_key.pub;
+      publicKeyFile = "${inputs.secrets}/hosts/jupiter-vps/ssh_host_ed25519_key.pub";
      extraHostNames = [ "vps.karaolidis.com" ];
    };
  };
--- a/hosts/common/configs/user/gui/darktable/default.nix
+++ b/hosts/common/configs/user/gui/darktable/default.nix
@@ -82,6 +82,6 @@ in
    };

    sops.secrets."jupiter/photos.karaolidis.com/admin".sopsFile =
-      ../../../../../../secrets/personal/secrets.yaml;
+      "${inputs.secrets}/personal/secrets.yaml";
  };
 }
--- a/hosts/common/configs/user/gui/obsidian/default.nix
+++ b/hosts/common/configs/user/gui/obsidian/default.nix
@@ -380,7 +380,7 @@ in
              ];
              searchProvider = "google";
              geocodingApiMethod = "path";
-              geocodingApiPath = hmConfig.sops.secrets."google/geocoding".path;
+              geocodingApiPath = hmConfig.sops.secrets."google/cloud/obsidian/geocoding".path;
              useGooglePlaces = true;
              letZoomBeyondMax = true;
              showGeolinkPreview = true;
@@ -608,6 +608,6 @@ in
      }
    ) hmConfig.programs.obsidian.vaults;

-    sops.secrets."google/geocoding".sopsFile = ../../../../../../secrets/personal/secrets.yaml;
+    sops.secrets."google/cloud/obsidian/geocoding".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
  };
 }
--- a/hosts/common/configs/user/gui/spicetify/default.nix
+++ b/hosts/common/configs/user/gui/spicetify/default.nix
@@ -64,7 +64,7 @@ in
        ];
      };

-    sops.secrets."spotify/username".sopsFile = ../../../../../../secrets/personal/secrets.yaml;
+    sops.secrets."spotify/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml";

    xdg.configFile = {
      "spotify/prefs.init" = {
--- a/hosts/elara/configs/git/default.nix
+++ b/hosts/elara/configs/git/default.nix
@@ -10,7 +10,7 @@ let
 in
 {
  sops.secrets."ssh/sas/ed25519/key" = {
-    sopsFile = ../../../../secrets/sas/secrets.yaml;
+    sopsFile = "${inputs.secrets}/sas/secrets.yaml";
    key = "ssh/ed25519/key";
    path = "/root/.ssh/ssh_sas_ed25519_key";
  };
--- a/hosts/elara/secrets/ssh_host_ed25519_key.pub
+++ b/hosts/elara/secrets/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2sVagJ2CqpitBK4izlfKWIe2n2xkfV95F0VNkAc3FD root@elara
--- a/hosts/elara/users/nikara/configs/console/git/default.nix
+++ b/hosts/elara/users/nikara/configs/console/git/default.nix
@@ -16,22 +16,22 @@ in
    sops = {
      secrets = {
        "git/credentials/personal/git.karaolidis.com/admin/username" = {
-          sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+          sopsFile = "${inputs.secrets}/personal/secrets.yaml";
          key = "git/credentials/git.karaolidis.com/admin/username";
        };

        "git/credentials/personal/git.karaolidis.com/admin/password" = {
-          sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+          sopsFile = "${inputs.secrets}/personal/secrets.yaml";
          key = "git/credentials/git.karaolidis.com/admin/password";
        };

        "git/credentials/sas/github.com/admin/username" = {
-          sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+          sopsFile = "${inputs.secrets}/sas/secrets.yaml";
          key = "git/credentials/github.com/admin/username";
        };

        "git/credentials/sas/github.com/admin/password" = {
-          sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+          sopsFile = "${inputs.secrets}/sas/secrets.yaml";
          key = "git/credentials/github.com/admin/password";
        };
      };
--- a/hosts/elara/users/nikara/configs/console/gpg/default.nix
+++ b/hosts/elara/users/nikara/configs/console/gpg/default.nix
@@ -1,5 +1,5 @@
 { user, home }:
-{ config, ... }:
+{ config, inputs, ... }:
 let
  hmConfig = config.home-manager.users.${user};
 in
@@ -7,22 +7,22 @@ in
  home-manager.users.${user} = {
    sops.secrets = {
      "gpg/personal/key" = {
-        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
        key = "gpg/key";
      };

      "gpg/personal/pass" = {
-        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
        key = "gpg/pass";
      };

      "gpg/sas/key" = {
-        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
        key = "gpg/key";
      };

      "gpg/sas/pass" = {
-        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
        key = "gpg/pass";
      };
    };
--- a/hosts/elara/users/nikara/configs/console/podman/default.nix
+++ b/hosts/elara/users/nikara/configs/console/podman/default.nix
@@ -3,6 +3,7 @@
  config,
  lib,
  pkgs,
+  inputs,
  ...
 }:
 let
@@ -12,17 +13,17 @@ in
  home-manager.users.${user}.sops = {
    secrets = {
      "registry/personal/docker.io" = {
-        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
        key = "registry/docker.io";
      };

      "registry/personal/registry.karaolidis.com" = {
-        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
        key = "registry/registry.karaolidis.com";
      };

      "registry/sas/cr.sas.com" = {
-        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
        key = "registry/cr.sas.com";
      };
    };
--- a/hosts/elara/users/nikara/configs/console/sas/default.nix
+++ b/hosts/elara/users/nikara/configs/console/sas/default.nix
@@ -1,8 +1,8 @@
 { user, home }:
-{ ... }:
+{ inputs, ... }:
 {
  home-manager.users.${user}.sops.secrets = {
-    "artifactory/cdp/user".sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
-    "artifactory/cdp/password".sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+    "artifactory/cdp/user".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
+    "artifactory/cdp/password".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
  };
 }
--- a/hosts/elara/users/nikara/configs/console/ssh/default.nix
+++ b/hosts/elara/users/nikara/configs/console/ssh/default.nix
@@ -14,35 +14,35 @@ in
  home-manager.users.${user} = {
    sops.secrets = {
      "ssh/personal/key" = {
-        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
        key = "ssh/key";
        path = "${home}/.ssh/ssh_personal_ed25519_key";
      };

      "ssh/personal/pass" = {
-        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
        key = "ssh/pass";
      };

      "ssh/sas/ed25519/key" = {
-        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
        key = "ssh/ed25519/key";
        path = "${home}/.ssh/ssh_sas_ed25519_key";
      };

      "ssh/sas/ed25519/pass" = {
-        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
        key = "ssh/ed25519/pass";
      };

      "ssh/sas/rsa/key" = {
-        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
        key = "ssh/rsa/key";
        path = "${home}/.ssh/ssh_sas_rsa_key";
      };

      "ssh/sas/rsa/pass" = {
-        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
        key = "ssh/rsa/pass";
      };
    };
--- a/hosts/elara/users/nikara/configs/console/viya4-orders-cli/default.nix
+++ b/hosts/elara/users/nikara/configs/console/viya4-orders-cli/default.nix
@@ -13,8 +13,8 @@ in
 {
  home-manager.users.${user} = {
    sops.secrets = {
-      "viya/orders-api/key".sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
-      "viya/orders-api/secret".sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+      "viya/orders-api/key".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
+      "viya/orders-api/secret".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
    };

    home.packages = [ selfPkgs.viya4-orders-cli ];
--- a/hosts/elara/users/nikara/default.nix
+++ b/hosts/elara/users/nikara/default.nix
@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
 let
  # FIXME: https://github.com/NixOS/nixpkgs/issues/24570
  # FIXME: https://github.com/NixOS/nixpkgs/issues/305643
@@ -97,7 +102,7 @@ in

  # mkpasswd -s
  sops.secrets."${user}-password" = {
-    sopsFile = ../../../../secrets/sas/secrets.yaml;
+    sopsFile = "${inputs.secrets}/sas/secrets.yaml";
    key = "password";
    neededForUsers = true;
  };
--- a/hosts/himalia/secrets/ssh_host_ed25519_key.pub
+++ b/hosts/himalia/secrets/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgGmzh23q/ucuZRRkS4LdPfBdTDWJk0UrlUYVnC7j2b root@himalia
--- a/hosts/himalia/users/nick/configs/console/git/default.nix
+++ b/hosts/himalia/users/nick/configs/console/git/default.nix
@@ -15,9 +15,9 @@ in
    sops = {
      secrets = {
        "git/credentials/git.karaolidis.com/admin/username".sopsFile =
-          ../../../../../../../secrets/personal/secrets.yaml;
+          "${inputs.secrets}/personal/secrets.yaml";
        "git/credentials/git.karaolidis.com/admin/password".sopsFile =
-          ../../../../../../../secrets/personal/secrets.yaml;
+          "${inputs.secrets}/personal/secrets.yaml";
      };

      templates."git/credentials" = {
--- a/hosts/himalia/users/nick/configs/console/gpg/default.nix
+++ b/hosts/himalia/users/nick/configs/console/gpg/default.nix
@@ -1,13 +1,13 @@
 { user, home }:
-{ config, ... }:
+{ config, inputs, ... }:
 let
  hmConfig = config.home-manager.users.${user};
 in
 {
  home-manager.users.${user} = {
    sops.secrets = {
-      "gpg/key".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
-      "gpg/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+      "gpg/key".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+      "gpg/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
    };

    programs.clipbook.bookmarks."GPG Passphrase".source = hmConfig.sops.secrets."gpg/pass".path;
--- a/hosts/himalia/users/nick/configs/console/podman/default.nix
+++ b/hosts/himalia/users/nick/configs/console/podman/default.nix
@@ -1,13 +1,18 @@
 { user, home }:
-{ config, pkgs, ... }:
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}:
 let
  hmConfig = config.home-manager.users.${user};
 in
 {
  home-manager.users.${user}.sops = {
    secrets = {
-      "registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
-      "registry/registry.karaolidis.com".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+      "registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+      "registry/registry.karaolidis.com".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
    };

    templates."containers-auth.json" = {
--- a/hosts/himalia/users/nick/configs/console/ssh/default.nix
+++ b/hosts/himalia/users/nick/configs/console/ssh/default.nix
@@ -1,5 +1,5 @@
 { user, home }:
-{ config, ... }:
+{ config, inputs, ... }:
 let
  hmConfig = config.home-manager.users.${user};
 in
@@ -7,11 +7,11 @@ in
  home-manager.users.${user} = {
    sops.secrets = {
      "ssh/key" = {
-        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
        path = "${home}/.ssh/ssh_personal_ed25519_key";
      };

-      "ssh/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+      "ssh/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
    };

    programs.clipbook.bookmarks."SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/pass".path;
--- a/hosts/himalia/users/nick/default.nix
+++ b/hosts/himalia/users/nick/default.nix
@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
 let
  # FIXME: https://github.com/NixOS/nixpkgs/issues/24570
  # FIXME: https://github.com/NixOS/nixpkgs/issues/305643
@@ -94,7 +99,7 @@ in

  # mkpasswd -s
  sops.secrets."${user}-password" = {
-    sopsFile = ../../../../secrets/personal/secrets.yaml;
+    sopsFile = "${inputs.secrets}/personal/secrets.yaml";
    key = "password";
    neededForUsers = true;
  };
--- a/hosts/installer/secrets/ssh_host_ed25519_key.pub
+++ b/hosts/installer/secrets/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEIK+JkxkC0E8w0IF59gtpG55JBS/osqs1B7VhsI0eI root@installer
--- a/hosts/installer/users/nick/configs/console/git/default.nix
+++ b/hosts/installer/users/nick/configs/console/git/default.nix
@@ -15,9 +15,9 @@ in
    sops = {
      secrets = {
        "git/credentials/git.karaolidis.com/admin/username".sopsFile =
-          ../../../../../../../secrets/personal/secrets.yaml;
+          "${inputs.secrets}/personal/secrets.yaml";
        "git/credentials/git.karaolidis.com/admin/password".sopsFile =
-          ../../../../../../../secrets/personal/secrets.yaml;
+          "${inputs.secrets}/personal/secrets.yaml";
      };

      templates."git/credentials" = {
--- a/hosts/installer/users/nick/configs/console/gpg/default.nix
+++ b/hosts/installer/users/nick/configs/console/gpg/default.nix
@@ -1,8 +1,8 @@
 { user, home }:
-{ ... }:
+{ inputs, ... }:
 {
  home-manager.users.${user}.sops.secrets = {
-    "gpg/key".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
-    "gpg/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+    "gpg/key".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+    "gpg/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
  };
 }
--- a/hosts/installer/users/nick/configs/console/ssh/default.nix
+++ b/hosts/installer/users/nick/configs/console/ssh/default.nix
@@ -1,14 +1,14 @@
 { user, home }:
-{ ... }:
+{ inputs, ... }:
 {
  home-manager.users.${user} = {
    sops.secrets = {
      "ssh/key" = {
-        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
        path = "${home}/.ssh/ssh_personal_ed25519_key";
      };

-      "ssh/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+      "ssh/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
    };

    programs.ssh.matchBlocks = {
--- a/hosts/installer/users/nick/default.nix
+++ b/hosts/installer/users/nick/default.nix
@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
 let
  # FIXME: https://github.com/NixOS/nixpkgs/issues/24570
  # FIXME: https://github.com/NixOS/nixpkgs/issues/305643
@@ -41,7 +46,7 @@ in

  # mkpasswd -s
  sops.secrets."${user}-password" = {
-    sopsFile = ../../../../secrets/personal/secrets.yaml;
+    sopsFile = "${inputs.secrets}/personal/secrets.yaml";
    key = "password";
    neededForUsers = true;
  };
--- a/hosts/jupiter-vps/secrets/ssh_host_ed25519_key.pub
+++ b/hosts/jupiter-vps/secrets/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIEQGAjeS+Q5aB8uTmy//XyFRFihtUBeWJbFhIi8YEa3 root@jupiter-vps
--- a/hosts/jupiter/configs/tv/default.nix
+++ b/hosts/jupiter/configs/tv/default.nix
@@ -62,8 +62,8 @@ in

  sops = {
    secrets = {
-      "tv/network/password".sopsFile = ../../secrets/secrets.yaml;
-      "tv/adguard/admin".sopsFile = ../../secrets/secrets.yaml;
+      "tv/network/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+      "tv/adguard/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
    };

    templates.adguard-env.content = ''
--- a/hosts/jupiter/secrets/ssh_host_ed25519_key.pub
+++ b/hosts/jupiter/secrets/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEoe+/nXBPhLKVZ2Fo4iif8F9WgrriBE+/oXPdANR+7G root@jupiter
--- a/hosts/jupiter/users/nick/configs/console/podman/default.nix
+++ b/hosts/jupiter/users/nick/configs/console/podman/default.nix
@@ -1,11 +1,16 @@
 { user, home }:
-{ config, pkgs, ... }:
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}:
 let
  hmConfig = config.home-manager.users.${user};
 in
 {
  home-manager.users.${user}.sops = {
-    secrets."registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+    secrets."registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml";

    templates.containers-auth = {
      content = builtins.readFile (
--- a/hosts/jupiter/users/nick/default.nix
+++ b/hosts/jupiter/users/nick/default.nix
@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
 let
  # FIXME: https://github.com/NixOS/nixpkgs/issues/24570
  # FIXME: https://github.com/NixOS/nixpkgs/issues/305643
@@ -38,7 +43,7 @@ in

  # mkpasswd -s
  sops.secrets."${user}-password" = {
-    sopsFile = ../../../../secrets/personal/secrets.yaml;
+    sopsFile = "${inputs.secrets}/personal/secrets.yaml";
    key = "password";
    neededForUsers = true;
  };
--- a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
@@ -16,14 +16,14 @@ in
  home-manager.users.${user} = {
    sops = {
      secrets = {
-        "authelia/session".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "authelia/resetPasswordJwt".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "authelia/oidcHmac".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "authelia/oidcKey".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "authelia/storage".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "authelia/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "authelia/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "authelia/users/karaolidis".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "authelia/session".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "authelia/resetPasswordJwt".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "authelia/oidcHmac".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "authelia/oidcKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "authelia/storage".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "authelia/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "authelia/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "authelia/users/karaolidis".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
      };

      templates = {
--- a/hosts/jupiter/users/storm/configs/console/podman/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/default.nix
@@ -1,5 +1,10 @@
 { user, home }:
-{ config, pkgs, ... }:
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}:
 let
  hmConfig = config.home-manager.users.${user};
 in
@@ -35,7 +40,7 @@ in
    ];

    sops = {
-      secrets."registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+      secrets."registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml";

      templates.containers-auth = {
        content = builtins.readFile (
--- a/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix
@@ -68,14 +68,14 @@ in
    {
      sops = {
        secrets = {
-          "gitea/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
-          "gitea/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
-          "gitea/secretKey".sopsFile = ../../../../../../secrets/secrets.yaml;
-          "gitea/internalToken".sopsFile = ../../../../../../secrets/secrets.yaml;
-          "gitea/jwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml;
-          "gitea/lfsJwtSecret".sopsFile = ../../../../../../secrets/secrets.yaml;
-          "gitea/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
-          "gitea/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
+          "gitea/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+          "gitea/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+          "gitea/secretKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+          "gitea/internalToken".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+          "gitea/jwtSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+          "gitea/lfsJwtSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+          "gitea/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+          "gitea/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
        };

        templates = {
--- a/hosts/jupiter/users/storm/configs/console/podman/grafana/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/grafana/default.nix
@@ -17,9 +17,9 @@ in
  home-manager.users.${user} = {
    sops = {
      secrets = {
-        "grafana/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "grafana/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "grafana/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "grafana/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "grafana/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "grafana/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
      };

      templates = {
--- a/hosts/jupiter/users/storm/configs/console/podman/media/jellyfin/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/media/jellyfin/default.nix
@@ -17,11 +17,11 @@ in
  home-manager.users.${user} = {
    sops = {
      secrets = {
-        "jellyfin/admin".sopsFile = ../../../../../../../secrets/secrets.yaml;
-        "jellyfin/authelia/password".sopsFile = ../../../../../../../secrets/secrets.yaml;
-        "jellyfin/authelia/digest".sopsFile = ../../../../../../../secrets/secrets.yaml;
-        "opensubtitles/username".sopsFile = ../../../../../../../../../secrets/personal/secrets.yaml;
-        "opensubtitles/password".sopsFile = ../../../../../../../../../secrets/personal/secrets.yaml;
+        "jellyfin/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "jellyfin/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "jellyfin/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "opensubtitles/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+        "opensubtitles/password".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
      };

      templates = {
--- a/hosts/jupiter/users/storm/configs/console/podman/media/jellyseerr/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/media/jellyseerr/default.nix
@@ -24,9 +24,9 @@ in
  home-manager.users.${user} = {
    sops = {
      secrets = {
-        "jellyseerr/smtp".sopsFile = ../../../../../../../secrets/secrets.yaml;
-        "jellyseerr/authelia/password".sopsFile = ../../../../../../../secrets/secrets.yaml;
-        "jellyseerr/authelia/digest".sopsFile = ../../../../../../../secrets/secrets.yaml;
+        "jellyseerr/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "jellyseerr/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "jellyseerr/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
      };

      templates = {
--- a/hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/media/prowlarr/default.nix
@@ -20,7 +20,7 @@ in
 {
  home-manager.users.${user} = {
    sops = {
-      secrets."prowlarr/apiKey".sopsFile = ../../../../../../../secrets/secrets.yaml;
+      secrets."prowlarr/apiKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";

      templates = {
        prowlarr-env.content = ''
--- a/hosts/jupiter/users/storm/configs/console/podman/media/radarr/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/media/radarr/default.nix
@@ -21,7 +21,7 @@ in
      secrets = builtins.listToAttrs (
        builtins.map (radarr: {
          name = "${radarr.hostName}/apiKey";
-          value.sopsFile = ../../../../../../../secrets/secrets.yaml;
+          value.sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
        }) radarrs
      );

--- a/hosts/jupiter/users/storm/configs/console/podman/media/sonarr/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/media/sonarr/default.nix
@@ -21,7 +21,7 @@ in
      secrets = builtins.listToAttrs (
        builtins.map (sonarr: {
          name = "${sonarr.hostName}/apiKey";
-          value.sopsFile = ../../../../../../../secrets/secrets.yaml;
+          value.sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
        }) sonarrs
      );

--- a/hosts/jupiter/users/storm/configs/console/podman/media/transmission/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/media/transmission/default.nix
@@ -13,7 +13,7 @@ let
 in
 {
  home-manager.users.${user} = {
-    sops.secrets."transmission/protonvpn".sopsFile = ../../../../../../../secrets/secrets.yaml;
+    sops.secrets."transmission/protonvpn".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";

    systemd.user.tmpfiles.rules = [
      "d /mnt/storage/private/storm/containers/storage/volumes/media/_data/downloads/transmission 755 storm storm"
--- a/hosts/jupiter/users/storm/configs/console/podman/nextcloud/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/nextcloud/default.nix
@@ -16,12 +16,12 @@ in
  home-manager.users.${user} = {
    sops = {
      secrets = {
-        "nextcloud/salt".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "nextcloud/secret".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "nextcloud/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "nextcloud/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "nextcloud/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "nextcloud/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "nextcloud/salt".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "nextcloud/secret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "nextcloud/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "nextcloud/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "nextcloud/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "nextcloud/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
      };

      templates = {
--- a/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix
@@ -15,10 +15,10 @@ in
  home-manager.users.${user} = {
    sops = {
      secrets = {
-        "ntfy/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "ntfy/webPush/publicKey".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "ntfy/webPush/privateKey".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "ntfy/users/karaolidis".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "ntfy/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "ntfy/webPush/publicKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "ntfy/webPush/privateKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "ntfy/users/karaolidis".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
      };

      templates = {
--- a/hosts/jupiter/users/storm/configs/console/podman/outline/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/outline/default.nix
@@ -16,12 +16,12 @@ in
  home-manager.users.${user} = {
    sops = {
      secrets = {
-        "outline/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "outline/secretKey".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "outline/utilsSecret".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "outline/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "outline/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "outline/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "outline/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "outline/secretKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "outline/utilsSecret".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "outline/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "outline/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "outline/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
      };

      templates = {
--- a/hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix
@@ -15,9 +15,9 @@ in
  home-manager.users.${user} = {
    sops = {
      secrets = {
-        "shlink/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "shlink/apiKey".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "maxmind/licenseKey".sopsFile = ../../../../../../../../secrets/personal/secrets.yaml;
+        "shlink/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "shlink/apiKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "maxmind/licenseKey".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
      };

      templates = {
--- a/hosts/jupiter/users/storm/configs/console/podman/sish/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/sish/default.nix
@@ -15,7 +15,7 @@ in
  networking.firewall.allowedTCPPorts = [ 2222 ];

  home-manager.users.${user} = {
-    sops.secrets."sish/ssh/key".sopsFile = ../../../../../../secrets/secrets.yaml;
+    sops.secrets."sish/ssh/key".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";

    virtualisation.quadlet = {
      networks.sish = { };
--- a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
@@ -25,7 +25,7 @@ in

  home-manager.users.${user} = {
    sops = {
-      secrets."cloudflare/letsencrypt".sopsFile = ../../../../../../../../secrets/personal/secrets.yaml;
+      secrets."cloudflare/letsencrypt".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
      templates.traefik-env.content = ''
        CF_DNS_API_TOKEN=${hmConfig.sops.placeholder."cloudflare/letsencrypt"}
      '';
--- a/hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix
@@ -17,13 +17,13 @@ in
  home-manager.users.${user} = {
    sops = {
      secrets = {
-        "vaultwarden/adminToken".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "vaultwarden/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "vaultwarden/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "vaultwarden/push/installationId".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "vaultwarden/push/installationKey".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "vaultwarden/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
-        "vaultwarden/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "vaultwarden/adminToken".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "vaultwarden/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "vaultwarden/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "vaultwarden/push/installationId".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "vaultwarden/push/installationKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "vaultwarden/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "vaultwarden/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
      };

      templates = {
--- a/hosts/jupiter/users/storm/default.nix
+++ b/hosts/jupiter/users/storm/default.nix
@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
 let
  # FIXME: https://github.com/NixOS/nixpkgs/issues/24570
  # FIXME: https://github.com/NixOS/nixpkgs/issues/305643
@@ -26,7 +31,7 @@ in

  # mkpasswd -s
  sops.secrets."${user}-password" = {
-    sopsFile = ../../../../secrets/personal/secrets.yaml;
+    sopsFile = "${inputs.secrets}/personal/secrets.yaml";
    key = "password";
    neededForUsers = true;
  };
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2sVagJ2CqpitBK4izlfKWIe2n2xkfV95F0VNkAc3FD root@elara`
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgGmzh23q/ucuZRRkS4LdPfBdTDWJk0UrlUYVnC7j2b root@himalia`
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEIK+JkxkC0E8w0IF59gtpG55JBS/osqs1B7VhsI0eI root@installer`
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIEQGAjeS+Q5aB8uTmy//XyFRFihtUBeWJbFhIi8YEa3 root@jupiter-vps`
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEoe+/nXBPhLKVZ2Fo4iif8F9WgrriBE+/oXPdANR+7G root@jupiter`