Migrate secrets to separate repo

2023-12-16 18:39:00 +00:00 · 2023-12-16 18:39:00 +00:00 · aa5a4e27a3
commit aa5a4e27a3
parent f9cf5758e3
5 changed files with 29 additions and 18 deletions
--- a/flake.lock
+++ b/flake.lock
@ -86,11 +86,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1702195709,
-        "narHash": "sha256-+zRjWkm5rKqQ57PuLZ3JF3xi3vPMiOJzItb1m/43Cq4=",
+        "lastModified": 1702676849,
+        "narHash": "sha256-XqcREaTS38/QOsN8fk8PP325/UXHyF9enbP5ZPw5aiA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "6761b8188b860f374b457eddfdb05c82eef9752f",
+        "rev": "aa99c2f4e9847cbb7e46fac0844ea1eb164b3b3a",
        "type": "github"
      },
      "original": {
@ -137,9 +137,26 @@
        "firefox-gnome-theme": "firefox-gnome-theme",
        "home-manager": "home-manager_2",
        "nixpkgs": "nixpkgs_2",
+        "secrets": "secrets",
        "thunderbird-gnome-theme": "thunderbird-gnome-theme"
      }
    },
+    "secrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1702750793,
+        "narHash": "sha256-w4ajlpX4k+9HBgmRhMaWMfHsNEs1M4ncKtJGXZcHqe8=",
+        "ref": "refs/heads/master",
+        "rev": "08e2b6b214e43e8bf3b3db9b7819fd27a1038c86",
+        "revCount": 1,
+        "type": "git",
+        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
+      }
+    },
    "thunderbird-gnome-theme": {
      "flake": false,
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@ -12,13 +12,17 @@
      url = "github:rafaelmardojai/firefox-gnome-theme";
      flake = false;
    };
+    secrets = {
+      url = "git+ssh://git@git.vimium.com/jordan/nix-secrets.git";
+      flake = false;
+    };
    thunderbird-gnome-theme = {
      url = "github:rafaelmardojai/thunderbird-gnome-theme";
      flake = false;
    };
  };

-  outputs = inputs @ { self, nixpkgs, agenix, home-manager, ... }:
+  outputs = inputs @ { self, nixpkgs, agenix, home-manager, secrets, ... }:
    let
      nixpkgsForSystem = system: inputs.nixpkgs;
      overlays = [
--- a/hosts/odyssey/default.nix
+++ b/hosts/odyssey/default.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, inputs, ... }:

 {
  imports = [
@ -50,8 +50,8 @@
    };
  };

-  age.secrets."odyssey_borg_passphrase" = {
-    file = ../../secrets/odyssey_borg_passphrase.age;
+  age.secrets."odyssey-passphrase" = {
+    file = "${inputs.secrets}/passwords/services/borg/odyssey-passphrase.age";
  };

  services.borgmatic = {
@ -64,7 +64,7 @@
        { label = "borgbase"; path = "ssh://iqwu22oq@iqwu22oq.repo.borgbase.com/./repo"; }
      ];
      storage = {
-        encryption_passcommand = "cat ${config.age.secrets.odyssey_borg_passphrase.path}";
+        encryption_passcommand = "cat ${config.age.secrets.odyssey-passphrase.path}";
        ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
      };
      retention = {
--- a/secrets.nix
+++ b/secrets.nix
@ -1,10 +0,0 @@
-let
-  jordan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS";
-  users = [ jordan ];
-
-  odyssey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJre8/cjdoUnbTu0x4ClTITcq4lq+FjpEyJBbLbOlox7";
-  systems = [ odyssey ];
-in
-{
-  "secrets/odyssey_borg_passphrase.age".publicKeys = [ jordan odyssey ];
-}
--- a/secrets/odyssey_borg_passphrase.age
+++ b/secrets/odyssey_borg_passphrase.age