refactor: sops-nix

config/hosts/imxyy-nix-server/build.nix

@@ -1,12 +1,12 @@
 {
   config,
   pkgs,
-  sopsRoot,
+  secrets,
   ...
 }:
 {
   sops.secrets.et-imxyy-nix-server-nixremote = {
-    sopsFile = sopsRoot + /et-imxyy-nix-server-nixremote.toml;
+    sopsFile = secrets.et-imxyy-nix-server-nixremote;
     format = "binary";
   };
   environment.systemPackages = [ pkgs.easytier ];

config/hosts/imxyy-nix-server/minio.nix

@@ -1,7 +1,7 @@
-{ config, sopsRoot, ... }:
+{ config, secrets, ... }:
 {
   sops.secrets.minio-env = {
-    sopsFile = sopsRoot + /minio.env;
+    sopsFile = secrets.minio;
     format = "dotenv";
   };
   services.minio = {

config/hosts/imxyy-nix-server/net.nix

@@ -3,7 +3,7 @@
   lib,
   pkgs,
   username,
-  sopsRoot,
+  secrets,
   ...
 }:
 {
@@ -143,7 +143,7 @@
   ];
 
   sops.secrets.dae-imxyy-nix-server = {
-    sopsFile = sopsRoot + /dae-imxyy-nix-server.dae;
+    sopsFile = secrets.dae-imxyy-nix-server;
     format = "binary";
   };
   services.dae = {
@@ -152,7 +152,7 @@
   };
   systemd.services.dae.after = [ "sops-nix.service" ];
   sops.secrets.mihomo = {
-    sopsFile = sopsRoot + /mihomo.yaml;
+    sopsFile = secrets.mihomo;
     format = "yaml";
     key = "";
   };
@@ -164,7 +164,7 @@
   };
 
   sops.secrets.frp-env = {
-    sopsFile = sopsRoot + /frp.env;
+    sopsFile = secrets.frp;
     format = "dotenv";
   };
   systemd.services.frp.serviceConfig.EnvironmentFile = [
@@ -475,7 +475,7 @@
   };
 
   sops.secrets.et-imxyy-nix-server = {
-    sopsFile = sopsRoot + /et-imxyy-nix-server.toml;
+    sopsFile = secrets.et-imxyy-nix-server;
     format = "binary";
   };
   environment.systemPackages = [ pkgs.easytier ];

config/hosts/imxyy-nix-server/nixos.nix

@@ -2,7 +2,7 @@
   lib,
   config,
   username,
-  sopsRoot,
+  secrets,
   ...
 }:
 {
@@ -23,7 +23,7 @@
   environment.variables.NIX_REMOTE = "daemon";
 
   sops.secrets.imxyy-nix-server-hashed-password = {
-    sopsFile = sopsRoot + /imxyy-nix-server-hashed-password.txt;
+    sopsFile = secrets.imxyy-nix-server-hashed-password;
     format = "binary";
     neededForUsers = true;
   };

config/hosts/imxyy-nix-server/note.nix

@@ -1,16 +1,16 @@
 {
   config,
-  sopsRoot,
+  secrets,
   ...
 }:
 {
   sops.secrets = {
     flatnote-env = {
-      sopsFile = sopsRoot + /flatnote.env;
+      sopsFile = secrets.flatnote;
       format = "dotenv";
     };
     siyuan-env = {
-      sopsFile = sopsRoot + /siyuan.env;
+      sopsFile = secrets.siyuan;
       format = "dotenv";
     };
   };

config/hosts/imxyy-nix-server/vault.nix

@@ -1,7 +1,7 @@
-{ config, sopsRoot, ... }:
+{ config, secrets, ... }:
 {
   sops.secrets.vaultwarden-env = {
-    sopsFile = sopsRoot + /vaultwarden.env;
+    sopsFile = secrets.vaultwarden;
     format = "dotenv";
   };
   services.postgresql.ensureUsers = [

config/hosts/imxyy-nix-x16/net.nix

@@ -1,7 +1,7 @@
 {
   config,
   pkgs,
-  sopsRoot,
+  secrets,
   ...
 }:
 {
@@ -53,7 +53,7 @@
   };
 
   sops.secrets.dae-imxyy-nix-x16 = {
-    sopsFile = sopsRoot + /dae-imxyy-nix-x16.dae;
+    sopsFile = secrets.dae-imxyy-nix-x16;
     format = "binary";
   };
   services.dae = {
@@ -62,7 +62,7 @@
   };
   systemd.services.dae.after = [ "sops-nix.service" ];
   sops.secrets.mihomo = {
-    sopsFile = sopsRoot + /mihomo.yaml;
+    sopsFile = secrets.mihomo;
     format = "yaml";
     key = "";
   };
@@ -74,7 +74,7 @@
   };
 
   sops.secrets.et-imxyy-nix-x16 = {
-    sopsFile = sopsRoot + /et-imxyy-nix-x16.toml;
+    sopsFile = secrets.et-imxyy-nix-x16;
     format = "binary";
   };
   environment.systemPackages = with pkgs; [

config/hosts/imxyy-nix-x16/nixos.nix

@@ -1,9 +1,8 @@
 {
-  lib,
   pkgs,
   config,
   username,
-  sopsRoot,
+  secrets,
   ...
 }:
 {
@@ -134,7 +133,7 @@
   ];
 
   sops.secrets.imxyy-nix-rclone = {
-    sopsFile = sopsRoot + /imxyy-nix-rclone.conf;
+    sopsFile = secrets.imxyy-nix-rclone;
     format = "binary";
   };
   fileSystems = {

config/hosts/imxyy-nix/net.nix

@@ -2,8 +2,7 @@
   config,
   lib,
   pkgs,
-  sopsRoot,
+  secrets,
-  username,
   ...
 }:
 {
@@ -86,7 +85,7 @@
   };
 
   sops.secrets.dae-imxyy-nix = {
-    sopsFile = sopsRoot + /dae-imxyy-nix.dae;
+    sopsFile = secrets.dae-imxyy-nix;
     format = "binary";
   };
   services.dae = {
@@ -95,7 +94,7 @@
   };
   systemd.services.dae.after = [ "sops-nix.service" ];
   sops.secrets.mihomo = {
-    sopsFile = sopsRoot + /mihomo.yaml;
+    sopsFile = secrets.mihomo;
     format = "yaml";
     key = "";
   };
@@ -107,7 +106,7 @@
   };
 
   sops.secrets.et-imxyy-nix = {
-    sopsFile = sopsRoot + /et-imxyy-nix.toml;
+    sopsFile = secrets.et-imxyy-nix;
     format = "binary";
   };
   environment.systemPackages = [ pkgs.easytier ];

config/hosts/imxyy-nix/nixos.nix

@@ -3,7 +3,7 @@
   pkgs,
   config,
   username,
-  sopsRoot,
+  secrets,
   ...
 }:
 let
@@ -225,7 +225,7 @@ in
   ];
 
   sops.secrets.imxyy-nix-rclone = {
-    sopsFile = sopsRoot + /imxyy-nix-rclone.conf;
+    sopsFile = secrets.imxyy-nix-rclone;
     format = "binary";
   };
   fileSystems = {

flake.nix

@@ -185,7 +185,14 @@
               outputs
               hostname
               ;
-            sopsRoot = ./secrets;
+            secrets =
+              with lib.haumea;
+              load {
+                src = ./secrets;
+                loader = [
+                  (matchers.always loaders.path)
+                ];
+              };
           }
           // vars;
           modules =

modules/user.nix

@@ -4,7 +4,7 @@
   pkgs,
   username,
   userdesc,
-  sopsRoot,
+  secrets,
   ...
 }:
 lib.my.makeSwitch {
@@ -16,7 +16,7 @@ lib.my.makeSwitch {
     programs.zsh.enable = true;
 
     sops.secrets.imxyy-nix-hashed-password = {
-      sopsFile = sopsRoot + /imxyy-nix-hashed-password.txt;
+      sopsFile = secrets.imxyy-nix-hashed-password;
       format = "binary";
       neededForUsers = true;
     };