From fc38f49fbffec1966f3833db5d68e724e1ef60ba Mon Sep 17 00:00:00 2001
From: hektor <hektor.misplon@pm.me>
Date: Mon, 15 Jun 2026 21:11:51 +0200
Subject: [PATCH] fix(secrets): default to non-user secrets

---
 home/modules/anki/default.nix        |  2 +-
 home/modules/taskwarrior/default.nix |  2 +-
 modules/ai-tools/default.nix         |  2 +-
 modules/anki/default.nix             |  2 +-
 modules/backups/default.nix          |  2 +-
 modules/common/host.nix              |  5 +++
 modules/hcloud/default.nix           |  2 +-
 modules/secrets/default.nix          | 66 +++++++++++++++-------------
 modules/taskwarrior/default.nix      |  2 +-
 utils/secrets.nix                    |  9 +++-
 10 files changed, 54 insertions(+), 40 deletions(-)

diff --git a/home/modules/anki/default.nix b/home/modules/anki/default.nix
index a55c1909..307a667c 100644
--- a/home/modules/anki/default.nix
+++ b/home/modules/anki/default.nix
@@ -18,7 +18,7 @@ in
 
   config = lib.mkIf cfg.enable (
     lib.optionalAttrs standalone {
-      sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
+      sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" {
         anki = [
           "sync-user"
           "sync-key"
diff --git a/home/modules/taskwarrior/default.nix b/home/modules/taskwarrior/default.nix
index 579f2687..da5880ec 100644
--- a/home/modules/taskwarrior/default.nix
+++ b/home/modules/taskwarrior/default.nix
@@ -20,7 +20,7 @@ in
   config = lib.mkIf cfg.enable (
     lib.optionalAttrs standalone {
       sops = {
-        secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
+        secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" {
           taskwarrior = [
             "sync-server-url"
             "sync-server-client-id"
diff --git a/modules/ai-tools/default.nix b/modules/ai-tools/default.nix
index 95199abe..3b708b20 100644
--- a/modules/ai-tools/default.nix
+++ b/modules/ai-tools/default.nix
@@ -10,7 +10,7 @@ in
 
   config = lib.mkIf cfg.enable {
     nixpkgs.allowedUnfree = [ "claude-code" ];
-    secrets.groups.opencode = [ "api-key" ];
+    secrets.opencode = [ "api-key" ];
 
     sops.templates."opencode/auth.json" = {
       inherit owner;
diff --git a/modules/anki/default.nix b/modules/anki/default.nix
index 46f2b191..19ff37b5 100644
--- a/modules/anki/default.nix
+++ b/modules/anki/default.nix
@@ -7,7 +7,7 @@ in
   options.anki.enable = lib.mkEnableOption "anki";
 
   config = lib.mkIf cfg.enable {
-    secrets.groups.anki = [
+    secrets.user.anki = [
       "sync-user"
       "sync-key"
     ];
diff --git a/modules/backups/default.nix b/modules/backups/default.nix
index 23885f17..6bfc657b 100644
--- a/modules/backups/default.nix
+++ b/modules/backups/default.nix
@@ -24,7 +24,7 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    secrets.groups = {
+    secrets = {
       restic = [ "password" ];
       backblaze-b2 = [
         "bucket-name"
diff --git a/modules/common/host.nix b/modules/common/host.nix
index dadd27fd..dbf71018 100644
--- a/modules/common/host.nix
+++ b/modules/common/host.nix
@@ -10,6 +10,11 @@
       type = lib.types.str;
     };
 
+    tags = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+    };
+
     timezone = lib.mkOption {
       type = lib.types.str;
       default = "Europe/Brussels";
diff --git a/modules/hcloud/default.nix b/modules/hcloud/default.nix
index 7c1c0423..77d7cc96 100644
--- a/modules/hcloud/default.nix
+++ b/modules/hcloud/default.nix
@@ -15,7 +15,7 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    secrets.groups.hcloud = [ "api-token" ];
+    secrets.hcloud = [ "api-token" ];
 
     sops.templates."hcloud/cli.toml" = {
       inherit owner;
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index 22639e84..bd394d4b 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -12,52 +12,56 @@ let
   inherit (config.host) username;
   inherit (cfg) sopsDir;
   owner = config.users.users.${username}.name;
+
+  system = {
+    email = [
+      "personal"
+      "work"
+    ];
+    nix = lib.optional cfg.nixSigningKey.enable "signing-key";
+  }
+  // lib.filterAttrs (_: lib.isList) cfg;
 in
 {
   imports = [ inputs.sops-nix.nixosModules.sops ];
 
-  options = {
-    secrets = {
-      enable = lib.mkEnableOption "secrets management";
+  options.secrets = lib.mkOption {
+    default = { };
+    type = lib.types.submodule {
+      freeformType = lib.types.attrsOf (lib.types.listOf lib.types.str);
 
-      sopsDir = lib.mkOption {
-        type = lib.types.str;
-        default = "${toString inputs.nix-secrets}/secrets";
-      };
+      options = {
+        enable = lib.mkEnableOption "secrets management";
 
-      groups = lib.mkOption {
-        type = lib.types.attrsOf (lib.types.listOf lib.types.str);
-        default = { };
-      };
+        sopsDir = lib.mkOption {
+          type = lib.types.str;
+          default = "${toString inputs.nix-secrets}/secrets";
+        };
 
-      owner = lib.mkOption {
-        type = lib.types.unspecified;
-      };
+        user = lib.mkOption {
+          type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+          default = { };
+        };
 
-      nixSigningKey = {
-        enable = lib.mkEnableOption "nix signing key configuration";
-      };
+        owner = lib.mkOption {
+          type = lib.types.unspecified;
+          default = owner;
+        };
 
-      yubikey = {
-        enable = lib.mkEnableOption "set up Yubikey";
+        nixSigningKey = {
+          enable = lib.mkEnableOption "nix signing key configuration";
+        };
+
+        yubikey = {
+          enable = lib.mkEnableOption "set up Yubikey";
+        };
       };
     };
   };
 
   config = lib.mkIf cfg.enable {
-    secrets = {
-      inherit owner;
-      groups = {
-        email = [
-          "personal"
-          "work"
-        ];
-        nix = lib.optional cfg.nixSigningKey.enable "signing-key";
-      };
-    };
-
     sops = {
-      secrets = myUtils.mkSopsSecrets sopsDir owner cfg.groups;
+      secrets = myUtils.mkSopsSecrets sopsDir system // myUtils.mkSopsUserSecrets sopsDir owner cfg.user;
     };
 
     nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [
diff --git a/modules/taskwarrior/default.nix b/modules/taskwarrior/default.nix
index 7a9b99c7..4f64b577 100644
--- a/modules/taskwarrior/default.nix
+++ b/modules/taskwarrior/default.nix
@@ -8,7 +8,7 @@ in
   options.taskwarrior.enable = lib.mkEnableOption "taskwarrior";
 
   config = lib.mkIf cfg.enable {
-    secrets.groups.taskwarrior = [
+    secrets.taskwarrior = [
       "sync-server-url"
       "sync-server-client-id"
       "sync-encryption-secret"
diff --git a/utils/secrets.nix b/utils/secrets.nix
index 4487e66e..dab039dc 100644
--- a/utils/secrets.nix
+++ b/utils/secrets.nix
@@ -1,7 +1,7 @@
 { lib }:
 
-{
-  mkSopsSecrets =
+let
+  mkSecrets =
     sopsDir: owner: groups:
     let
       opts = lib.optionalAttrs (owner != null) { inherit owner; };
@@ -21,6 +21,11 @@
         );
     in
     lib.foldl' lib.mergeAttrs { } (lib.mapAttrsToList mkGroup groups);
+in
+{
+  mkSopsSecrets = sopsDir: mkSecrets sopsDir null;
+
+  mkSopsUserSecrets = mkSecrets;
 
   sopsAvailability =
     config: osConfig: