From aa5a4e27a33a99aafb41199c370bbd5d1870ed0f Mon Sep 17 00:00:00 2001
From: Jordan Holt <jordan@vimium.com>
Date: Sat, 16 Dec 2023 18:39:00 +0000
Subject: [PATCH] Migrate secrets to separate repo

---
 flake.lock                          |  23 ++++++++++++++++++++---
 flake.nix                           |   6 +++++-
 hosts/odyssey/default.nix           |   8 ++++----
 secrets.nix                         |  10 ----------
 secrets/odyssey_borg_passphrase.age | Bin 567 -> 0 bytes
 5 files changed, 29 insertions(+), 18 deletions(-)
 delete mode 100644 secrets.nix
 delete mode 100644 secrets/odyssey_borg_passphrase.age

diff --git a/flake.lock b/flake.lock
index 7328b93..37a1826 100644
--- a/flake.lock
+++ b/flake.lock
@@ -86,11 +86,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1702195709,
-        "narHash": "sha256-+zRjWkm5rKqQ57PuLZ3JF3xi3vPMiOJzItb1m/43Cq4=",
+        "lastModified": 1702676849,
+        "narHash": "sha256-XqcREaTS38/QOsN8fk8PP325/UXHyF9enbP5ZPw5aiA=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6761b8188b860f374b457eddfdb05c82eef9752f",
+        "rev": "aa99c2f4e9847cbb7e46fac0844ea1eb164b3b3a",
         "type": "github"
       },
       "original": {
@@ -137,9 +137,26 @@
         "firefox-gnome-theme": "firefox-gnome-theme",
         "home-manager": "home-manager_2",
         "nixpkgs": "nixpkgs_2",
+        "secrets": "secrets",
         "thunderbird-gnome-theme": "thunderbird-gnome-theme"
       }
     },
+    "secrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1702750793,
+        "narHash": "sha256-w4ajlpX4k+9HBgmRhMaWMfHsNEs1M4ncKtJGXZcHqe8=",
+        "ref": "refs/heads/master",
+        "rev": "08e2b6b214e43e8bf3b3db9b7819fd27a1038c86",
+        "revCount": 1,
+        "type": "git",
+        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
+      }
+    },
     "thunderbird-gnome-theme": {
       "flake": false,
       "locked": {
diff --git a/flake.nix b/flake.nix
index df6ff70..8e05514 100644
--- a/flake.nix
+++ b/flake.nix
@@ -12,13 +12,17 @@
       url = "github:rafaelmardojai/firefox-gnome-theme";
       flake = false;
     };
+    secrets = {
+      url = "git+ssh://git@git.vimium.com/jordan/nix-secrets.git";
+      flake = false;
+    };
     thunderbird-gnome-theme = {
       url = "github:rafaelmardojai/thunderbird-gnome-theme";
       flake = false;
     };
   };
 
-  outputs = inputs @ { self, nixpkgs, agenix, home-manager, ... }:
+  outputs = inputs @ { self, nixpkgs, agenix, home-manager, secrets, ... }:
     let
       nixpkgsForSystem = system: inputs.nixpkgs;
       overlays = [
diff --git a/hosts/odyssey/default.nix b/hosts/odyssey/default.nix
index 0fe5f56..dcc7170 100644
--- a/hosts/odyssey/default.nix
+++ b/hosts/odyssey/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, inputs, ... }:
 
 {
   imports = [
@@ -50,8 +50,8 @@
     };
   };
 
-  age.secrets."odyssey_borg_passphrase" = {
-    file = ../../secrets/odyssey_borg_passphrase.age;
+  age.secrets."odyssey-passphrase" = {
+    file = "${inputs.secrets}/passwords/services/borg/odyssey-passphrase.age";
   };
 
   services.borgmatic = {
@@ -64,7 +64,7 @@
         { label = "borgbase"; path = "ssh://iqwu22oq@iqwu22oq.repo.borgbase.com/./repo"; }
       ];
       storage = {
-        encryption_passcommand = "cat ${config.age.secrets.odyssey_borg_passphrase.path}";
+        encryption_passcommand = "cat ${config.age.secrets.odyssey-passphrase.path}";
         ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
       };
       retention = {
diff --git a/secrets.nix b/secrets.nix
deleted file mode 100644
index cf926b2..0000000
--- a/secrets.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-let
-  jordan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS";
-  users = [ jordan ];
-
-  odyssey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJre8/cjdoUnbTu0x4ClTITcq4lq+FjpEyJBbLbOlox7";
-  systems = [ odyssey ];
-in
-{
-  "secrets/odyssey_borg_passphrase.age".publicKeys = [ jordan odyssey ];
-}
diff --git a/secrets/odyssey_borg_passphrase.age b/secrets/odyssey_borg_passphrase.age
deleted file mode 100644
index 58558b282fedf3db338f63455c552842ad0832ab..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 567
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTyFv<uH3slH-%5l%j
zc1ui5H%U)T_bLu>H#RjjEcY)eFo-ZUa*1>a$uiLPw#fD~FyS)GH81ol@~-qNj`9x5
z%go8B$SQCScT99GGYv{H3pFe&(oQ!sO)HBEibS_9t1!$Y$x$KH-P_TkILF(>u+Y0Q
z*|Q)uB+DqsG`yrZBp}$wEwm&k(xOs3Lfat4Ih3o^)HlG<w9w5d)Ht-lBd5aBI3rKr
zHNQN~Ffynh)Ho-_%c8t2)y>Z}6l`0aijTc+dQoa(ajJs4N_tJOpRa;)X_P{(ev*!v
zeLR<MP<EoBhj&#`RbrNbkyBAsKw4>zo4#>*o?k>%ab<zIwzIFhvrnRFgiCRLnOA9P
zk*i^prKeLygttXxVPPIuR<?IRPI*pFfu~Qpmw8B*Wm%GoV{nvZsi#G;WmtAWfTdw_
zlzDb;h?`}$iC;*$c_5druC78_NnnMmS5jtrVYp{$k*U77vzu?CxwB!pPlbzqaiDf_
zQc_WcPqLwBwh7mU9`2i=$uC2aLVC(3X<hlqwcx$BoM8Qb&wou>H&(s>KYL9>UDK+w
z%;&pqF_m|Io*7l_rTgUNf!z~-AGp7r@5<tsU<n(!8%JarHma$=op5)5bLG?e)$x-B
t*8hy$wxapRdcQ*zKY7k9{T}tx+rYLiZbDtx`*k{;$G<PWDir;l5de8Y(PIDr