Refactor secrets

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-07-24 11:01:47 +01:00
parent ba55a766ec
commit 15bf209e8c
62 changed files with 214 additions and 158 deletions
--- a/hosts/elara/configs/git/default.nix
+++ b/hosts/elara/configs/git/default.nix
@@ -10,7 +10,7 @@ let
 in
 {
  sops.secrets."ssh/sas/ed25519/key" = {
-    sopsFile = ../../../../secrets/sas/secrets.yaml;
+    sopsFile = "${inputs.secrets}/sas/secrets.yaml";
    key = "ssh/ed25519/key";
    path = "/root/.ssh/ssh_sas_ed25519_key";
  };
--- a/hosts/elara/secrets/ssh_host_ed25519_key.pub
+++ b/hosts/elara/secrets/ssh_host_ed25519_key.pub
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2sVagJ2CqpitBK4izlfKWIe2n2xkfV95F0VNkAc3FD root@elara
--- a/hosts/elara/users/nikara/configs/console/git/default.nix
+++ b/hosts/elara/users/nikara/configs/console/git/default.nix
@@ -16,22 +16,22 @@ in
    sops = {
      secrets = {
        "git/credentials/personal/git.karaolidis.com/admin/username" = {
-          sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+          sopsFile = "${inputs.secrets}/personal/secrets.yaml";
          key = "git/credentials/git.karaolidis.com/admin/username";
        };

        "git/credentials/personal/git.karaolidis.com/admin/password" = {
-          sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+          sopsFile = "${inputs.secrets}/personal/secrets.yaml";
          key = "git/credentials/git.karaolidis.com/admin/password";
        };

        "git/credentials/sas/github.com/admin/username" = {
-          sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+          sopsFile = "${inputs.secrets}/sas/secrets.yaml";
          key = "git/credentials/github.com/admin/username";
        };

        "git/credentials/sas/github.com/admin/password" = {
-          sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+          sopsFile = "${inputs.secrets}/sas/secrets.yaml";
          key = "git/credentials/github.com/admin/password";
        };
      };
--- a/hosts/elara/users/nikara/configs/console/gpg/default.nix
+++ b/hosts/elara/users/nikara/configs/console/gpg/default.nix
@@ -1,5 +1,5 @@
 { user, home }:
-{ config, ... }:
+{ config, inputs, ... }:
 let
  hmConfig = config.home-manager.users.${user};
 in
@@ -7,22 +7,22 @@ in
  home-manager.users.${user} = {
    sops.secrets = {
      "gpg/personal/key" = {
-        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
        key = "gpg/key";
      };

      "gpg/personal/pass" = {
-        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
        key = "gpg/pass";
      };

      "gpg/sas/key" = {
-        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
        key = "gpg/key";
      };

      "gpg/sas/pass" = {
-        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
        key = "gpg/pass";
      };
    };
--- a/hosts/elara/users/nikara/configs/console/podman/default.nix
+++ b/hosts/elara/users/nikara/configs/console/podman/default.nix
@@ -3,6 +3,7 @@
  config,
  lib,
  pkgs,
+  inputs,
  ...
 }:
 let
@@ -12,17 +13,17 @@ in
  home-manager.users.${user}.sops = {
    secrets = {
      "registry/personal/docker.io" = {
-        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
        key = "registry/docker.io";
      };

      "registry/personal/registry.karaolidis.com" = {
-        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
        key = "registry/registry.karaolidis.com";
      };

      "registry/sas/cr.sas.com" = {
-        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
        key = "registry/cr.sas.com";
      };
    };
--- a/hosts/elara/users/nikara/configs/console/sas/default.nix
+++ b/hosts/elara/users/nikara/configs/console/sas/default.nix
@@ -1,8 +1,8 @@
 { user, home }:
-{ ... }:
+{ inputs, ... }:
 {
  home-manager.users.${user}.sops.secrets = {
-    "artifactory/cdp/user".sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
-    "artifactory/cdp/password".sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+    "artifactory/cdp/user".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
+    "artifactory/cdp/password".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
  };
 }
--- a/hosts/elara/users/nikara/configs/console/ssh/default.nix
+++ b/hosts/elara/users/nikara/configs/console/ssh/default.nix
@@ -14,35 +14,35 @@ in
  home-manager.users.${user} = {
    sops.secrets = {
      "ssh/personal/key" = {
-        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
        key = "ssh/key";
        path = "${home}/.ssh/ssh_personal_ed25519_key";
      };

      "ssh/personal/pass" = {
-        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
        key = "ssh/pass";
      };

      "ssh/sas/ed25519/key" = {
-        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
        key = "ssh/ed25519/key";
        path = "${home}/.ssh/ssh_sas_ed25519_key";
      };

      "ssh/sas/ed25519/pass" = {
-        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
        key = "ssh/ed25519/pass";
      };

      "ssh/sas/rsa/key" = {
-        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
        key = "ssh/rsa/key";
        path = "${home}/.ssh/ssh_sas_rsa_key";
      };

      "ssh/sas/rsa/pass" = {
-        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
        key = "ssh/rsa/pass";
      };
    };
--- a/hosts/elara/users/nikara/configs/console/viya4-orders-cli/default.nix
+++ b/hosts/elara/users/nikara/configs/console/viya4-orders-cli/default.nix
@@ -13,8 +13,8 @@ in
 {
  home-manager.users.${user} = {
    sops.secrets = {
-      "viya/orders-api/key".sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
-      "viya/orders-api/secret".sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+      "viya/orders-api/key".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
+      "viya/orders-api/secret".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
    };

    home.packages = [ selfPkgs.viya4-orders-cli ];
--- a/hosts/elara/users/nikara/default.nix
+++ b/hosts/elara/users/nikara/default.nix
@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
 let
  # FIXME: https://github.com/NixOS/nixpkgs/issues/24570
  # FIXME: https://github.com/NixOS/nixpkgs/issues/305643
@@ -97,7 +102,7 @@ in

  # mkpasswd -s
  sops.secrets."${user}-password" = {
-    sopsFile = ../../../../secrets/sas/secrets.yaml;
+    sopsFile = "${inputs.secrets}/sas/secrets.yaml";
    key = "password";
    neededForUsers = true;
  };
				`@@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2sVagJ2CqpitBK4izlfKWIe2n2xkfV95F0VNkAc3FD root@elara`