refactor(secrets): simplify secrets

home/modules/anki/default.nix

@@ -13,10 +13,12 @@ let
   standalone = osConfig == null;
 in
 lib.optionalAttrs standalone {
-  sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "anki" [
+  sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
-    "sync-user"
+    anki = [
-    "sync-key"
+      "sync-user"
-  ] { };
+      "sync-key"
+    ];
+  };
 }
 // {
   warnings = lib.optional (

home/modules/taskwarrior/default.nix

@@ -15,11 +15,13 @@ let
 in
 lib.optionalAttrs standalone {
   sops = {
-    secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "taskwarrior" [
+    secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
-      "sync-server-url"
+      taskwarrior = [
-      "sync-server-client-id"
+        "sync-server-url"
-      "sync-encryption-secret"
+        "sync-server-client-id"
-    ] { };
+        "sync-encryption-secret"
+      ];
+    };
 
     templates."taskrc.d/sync" = {
       content = ''

modules/ai-tools/default.nix

@@ -1,15 +1,14 @@
-{ config, myUtils, ... }:
+{ config, ... }:
 
 let
-  inherit (config.secrets) sopsDir;
   inherit (config.host) username;
-  owner = config.users.users.${username}.name;
+  inherit (config.secrets) owner;
 in
 {
-  config.sops = {
+  config = {
-    secrets = myUtils.mkSopsSecrets sopsDir "opencode" [ "api-key" ] { inherit owner; };
+    secrets.groups.opencode = [ "api-key" ];
 
-    templates."opencode/auth.json" = {
+    sops.templates."opencode/auth.json" = {
       inherit owner;
       path = "/home/${username}/.local/share/opencode/auth.json";
       content = ''

modules/anki/default.nix

@@ -1,12 +1,6 @@
-{ config, myUtils, ... }:
-
-let
-  inherit (config.secrets) sopsDir;
-  inherit (config.host) username;
-  owner = config.users.users.${username}.name;
-in
 {
-  config.sops = {
+  config.secrets.groups.anki = [
-    secrets = myUtils.mkSopsSecrets sopsDir "anki" [ "sync-user" "sync-key" ] { inherit owner; };
+    "sync-user"
-  };
+    "sync-key"
+  ];
 }

modules/backups/default.nix

@@ -1,14 +1,11 @@
 {
   lib,
   config,
-  myUtils,
   ...
 }:
 
 let
   cfg = config.restic-backup;
-  inherit (config.secrets) sopsDir;
-  mkSopsSecrets = myUtils.mkSopsSecrets sopsDir;
   host = config.networking.hostName;
 in
 {
@@ -27,21 +24,24 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    sops = {
+    secrets.groups = {
-      secrets = lib.mkMerge [
+      restic = [ "password" ];
-        (mkSopsSecrets "restic" [ "password" ] { })
+      backblaze-b2 = [
-        (mkSopsSecrets "backblaze-b2" [ "bucket-name" "account-id" "account-key" ] { })
+        "bucket-name"
+        "account-id"
+        "account-key"
       ];
-      templates = {
+    };
-        "restic/repo-${host}" = {
+
-          content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${host}";
+    sops.templates = {
-        };
+      "restic/repo-${host}" = {
-        "restic/b2-env-${host}" = {
+        content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${host}";
-          content = ''
+      };
-            B2_ACCOUNT_ID=${config.sops.placeholder."backblaze-b2/account-id"}
+      "restic/b2-env-${host}" = {
-            B2_ACCOUNT_KEY=${config.sops.placeholder."backblaze-b2/account-key"}
+        content = ''
-          '';
+          B2_ACCOUNT_ID=${config.sops.placeholder."backblaze-b2/account-id"}
-        };
+          B2_ACCOUNT_KEY=${config.sops.placeholder."backblaze-b2/account-key"}
+        '';
       };
     };
 

modules/hcloud/default.nix

@@ -1,14 +1,13 @@
 {
   lib,
   config,
-  myUtils,
   ...
 }:
 
 let
   cfg = config.hcloud;
   inherit (config.host) username;
-  inherit (config.secrets) sopsDir;
+  inherit (config.secrets) owner;
 in
 {
   options.hcloud = {
@@ -16,12 +15,10 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    sops.secrets = myUtils.mkSopsSecrets sopsDir "hcloud" [ "api-token" ] {
+    secrets.groups.hcloud = [ "api-token" ];
-      owner = config.users.users.${username}.name;
-    };
 
     sops.templates."hcloud/cli.toml" = {
-      owner = config.users.users.${username}.name;
+      inherit owner;
       path = "/home/${username}/.config/hcloud/cli.toml";
       content = ''
         active_context = "server"

modules/secrets/default.nix

@@ -12,7 +12,6 @@ let
   inherit (config.host) username;
   inherit (cfg) sopsDir;
   owner = config.users.users.${username}.name;
-  mkSopsSecrets = myUtils.mkSopsSecrets sopsDir;
 in
 {
   imports = [ inputs.sops-nix.nixosModules.sops ];
@@ -24,6 +23,15 @@ in
         default = "${toString inputs.nix-secrets}/secrets";
       };
 
+      groups = lib.mkOption {
+        type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+        default = { };
+      };
+
+      owner = lib.mkOption {
+        type = lib.types.unspecified;
+      };
+
       nixSigningKey = {
         enable = lib.mkEnableOption "nix signing key configuration";
       };
@@ -35,27 +43,28 @@ in
   };
 
   config = {
+    secrets = {
+      inherit owner;
+      groups = {
+        email = [
+          "personal"
+          "work"
+        ];
+        nix = lib.optional cfg.nixSigningKey.enable "signing-key";
+      };
+    };
+
     sops = {
       # for yubikey, generate as follows:
       # ```
       # age-plugin-yubikey --identity > <keyfile-path>
       # ```
       age.keyFile = "/home/${username}/.config/sops/age/keys.txt";
-
+      secrets = myUtils.mkSopsSecrets sopsDir owner cfg.groups;
-      secrets = lib.mkMerge [
-        (mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; })
-        (lib.mkIf cfg.nixSigningKey.enable {
-          nix-signing-key = {
-            sopsFile = "${sopsDir}/nix.yaml";
-            key = "signing-key";
-            inherit owner;
-          };
-        })
-      ];
     };
 
     nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [
-      config.sops.secrets.nix-signing-key.path
+      config.sops.secrets."nix/signing-key".path
     ];
 
     services = {

modules/taskwarrior/default.nix

@@ -1,19 +1,17 @@
-{ config, myUtils, ... }:
+{ config, ... }:
 
 let
-  inherit (config.secrets) sopsDir;
+  inherit (config.secrets) owner;
-  inherit (config.host) username;
-  owner = config.users.users.${username}.name;
 in
 {
-  config.sops = {
+  config = {
-    secrets = myUtils.mkSopsSecrets sopsDir "taskwarrior" [
+    secrets.groups.taskwarrior = [
       "sync-server-url"
       "sync-server-client-id"
       "sync-encryption-secret"
-    ] { inherit owner; };
+    ];
 
-    templates."taskrc.d/sync" = {
+    sops.templates."taskrc.d/sync" = {
       inherit owner;
       content = ''
         sync.server.url=${config.sops.placeholder."taskwarrior/sync-server-url"}

utils/secrets.nix

@@ -2,19 +2,25 @@
 
 {
   mkSopsSecrets =
-    sopsDir: group: names: extraOpts:
+    sopsDir: owner: groups:
     let
-      file = "${group}.yaml";
+      opts = lib.optionalAttrs (owner != null) { inherit owner; };
+      mkGroup =
+        group: names:
+        let
+          file = "${group}.yaml";
+        in
+        lib.foldl' lib.mergeAttrs { } (
+          map (name: {
+            "${group}/${name}" = {
+              sopsFile = "${sopsDir}/${file}";
+              key = name;
+            }
+            // opts;
+          }) names
+        );
     in
-    lib.foldl' lib.mergeAttrs { } (
+    lib.foldl' lib.mergeAttrs { } (lib.mapAttrsToList mkGroup groups);
-      map (name: {
-        "${group}/${name}" = {
-          sopsFile = "${sopsDir}/${file}";
-          key = name;
-        }
-        // extraOpts;
-      }) names
-    );
 
   sopsAvailability =
     config: osConfig: