secrets: split home and common secrets

2024-07-08 15:02:54 +02:00
parent 435f032287
commit 2532fef033
7 changed files with 100 additions and 44 deletions
--- a/home/config/ssh/default.nix
+++ b/home/config/ssh/default.nix
@@ -6,10 +6,9 @@
    ./pvv.nix
  ];

-  sops.secrets."ssh/secret-config/home" = {
-    sopsFile = ../../../secrets/common.yaml;
+  sops.secrets."ssh/secret-config" = {
    mode = "0444";
  };

-  programs.ssh.includes = [ config.sops.secrets."ssh/secret-config/home".path ];
+  programs.ssh.includes = [ config.sops.secrets."ssh/secret-config".path ];
 }
--- a/home/home.nix
+++ b/home/home.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, extendedLib, inputs, machineVars, hostname, ... } @ args: let
+{ config, pkgs, lib, extendedLib, inputs, machineVars, ... } @ args: let
  inherit (lib) mkForce mkIf optionals;
  graphics = !machineVars.headless;
 in {
@@ -53,8 +53,8 @@ in {
    ./services/copyq.nix
  ];

-  sops.defaultSopsFile = ./secrets/${hostname}.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.defaultSopsFile = ../secrets/home.yaml;
+  sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519_home_sops" ];

  sops.secrets."nix/access-tokens" = {
    sopsFile = ../secrets/common.yaml;