fix: update secrets approach to match 'nix-secrets'

2026-04-11 20:48:47 +02:00
parent db116cc4de
commit faf3afad79
17 changed files with 268 additions and 180 deletions
--- a/home/hosts/astyanax/default.nix
+++ b/home/hosts/astyanax/default.nix
@@ -23,6 +23,7 @@
    ../../modules/nfc
    ../../modules/nvim
    ../../modules/pandoc
+    ../../modules/secrets
    ../../modules/shell
    ../../modules/ssh
    ../../modules/taskwarrior
--- a/home/modules/anki/default.nix
+++ b/home/modules/anki/default.nix
@@ -4,13 +4,21 @@
  pkgs,
  myUtils,
  osConfig ? null,
+  inputs ? null,
  ...
 }:

 let
  sops = myUtils.sopsAvailability config osConfig;
+  standalone = osConfig == null;
 in
-{
+lib.optionalAttrs standalone {
+  sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "anki" [
+    "sync-user"
+    "sync-key"
+  ] { };
+}
+// {
  warnings = lib.optional (
    !sops.available && config.programs.anki.enable
  ) "anki is enabled but sops secrets are not available. anki sync will not be configured.";
@@ -24,8 +32,8 @@ in
      review-heatmap
    ];
    profiles."User 1".sync = lib.mkIf sops.available {
-      usernameFile = "${sops.secrets."anki-sync-user".path}";
-      keyFile = "${sops.secrets."anki-sync-key".path}";
+      usernameFile = "${sops.secrets."anki/sync-user".path}";
+      keyFile = "${sops.secrets."anki/sync-key".path}";
    };
  };
 }
--- a/home/modules/secrets/default.nix
+++ b/home/modules/secrets/default.nix
@@ -6,7 +6,8 @@
  imports = [ ./vault.nix ];

  home.packages = with pkgs; [
-    sops
    age
+    age-plugin-yubikey # TODO: only needed when using Yubikey
+    sops
  ];
 }
--- a/home/modules/taskwarrior/default.nix
+++ b/home/modules/taskwarrior/default.nix
@@ -5,13 +5,33 @@
  dotsPath,
  myUtils,
  osConfig ? null,
+  inputs ? null,
  ...
 }:

 let
  sops = myUtils.sopsAvailability config osConfig;
+  standalone = osConfig == null;
 in
-{
+lib.optionalAttrs standalone {
+  sops = {
+    secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "taskwarrior" [
+      "sync-server-url"
+      "sync-server-client-id"
+      "sync-encryption-secret"
+    ] { };
+
+    templates."taskrc.d/sync" = {
+      content = ''
+        sync.server.url=${config.sops.placeholder."taskwarrior/sync-server-url"}
+        sync.server.client_id=${config.sops.placeholder."taskwarrior/sync-server-client-id"}
+        sync.encryption_secret=${config.sops.placeholder."taskwarrior/sync-encryption-secret"}
+      '';
+    };
+  };
+}
+// {
+
  warnings =
    lib.optional (!sops.available && config.programs.taskwarrior.enable)
      "taskwarrior is enabled, but sops templates are not available. taskwarrior sync will not be configured.";