chore: update lockfile

refactor(secrets): simplify secrets
refactor(backups): simplify backups module
2026-04-21 22:08:28 +02:00 · 2026-04-21 22:08:28 +02:00 · 2026-04-21 21:39:23 +02:00 · 2026-04-21 21:39:17 +02:00 · 2026-04-21 21:38:55 +02:00 · 2026-04-21 21:37:31 +02:00
19 changed files with 151 additions and 134 deletions
--- a/.envrc
+++ b/.envrc
@@ -0,0 +1 @@
+use flake
--- a/.gitignore
+++ b/.gitignore
@@ -9,4 +9,5 @@ result-*

 nixos-efi-vars.fd

-/.pre-commit-config.yaml
+.direnv/
+.pre-commit-config.yaml
--- a/deploy/colmena.nix
+++ b/deploy/colmena.nix
@@ -21,11 +21,7 @@ in
 inputs.colmena.lib.makeHive (
  {
    meta = {
-      nixpkgs = import inputs.nixpkgs {
-        localSystem = "x86_64-linux";
-      };
-
-      nodeNixpkgs = builtins.mapAttrs (_: v: v.pkgs) self.nixosConfigurations;
+      nixpkgs = import inputs.nixpkgs { localSystem = "x86_64-linux"; };
      specialArgs = {
        inherit inputs;
        outputs = self;
--- a/flake.lock
+++ b/flake.lock
@@ -284,11 +284,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775585728,
-        "narHash": "sha256-8Psjt+TWvE4thRKktJsXfR6PA/fWWsZ04DVaY6PUhr4=",
+        "lastModified": 1776796298,
+        "narHash": "sha256-PcRvlWayisPSjd0UcRQbhG8Oqw78AcPE6x872cPRHN8=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "580633fa3fe5fc0379905986543fd7495481913d",
+        "rev": "3cfd774b0a530725a077e17354fbdb87ea1c4aad",
        "type": "github"
      },
      "original": {
@@ -398,10 +398,10 @@
    "nix-secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1776422417,
-        "narHash": "sha256-9R4MePj/UT0tqkWEq4Afg7Lp/zdfYHkW+qmpVGchKIs=",
+        "lastModified": 1776723456,
+        "narHash": "sha256-GBbbm05oXYqSZ2EgxQPsNpTKl16wNhvrlUxdmv0FbSU=",
        "ref": "main",
-        "rev": "75759a14e8d46421fca4306393a38b5ad5240f09",
+        "rev": "135b681d24af6ee4508bbf7c657982d7be8743d4",
        "shallow": true,
        "type": "git",
        "url": "ssh://git@github.com/hektor/nix-secrets"
--- a/home/hosts/andromache/default.nix
+++ b/home/hosts/andromache/default.nix
@@ -25,6 +25,7 @@
    ../../modules/nvim
    ../../modules/pandoc
    ../../modules/photography
+    ../../modules/secrets
    ../../modules/shell
    ../../modules/ssh
    ../../modules/taskwarrior
--- a/home/modules/anki/default.nix
+++ b/home/modules/anki/default.nix
@@ -13,10 +13,12 @@ let
  standalone = osConfig == null;
 in
 lib.optionalAttrs standalone {
-  sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "anki" [
-    "sync-user"
-    "sync-key"
-  ] { };
+  sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
+    anki = [
+      "sync-user"
+      "sync-key"
+    ];
+  };
 }
 // {
  warnings = lib.optional (
--- a/home/modules/taskwarrior/default.nix
+++ b/home/modules/taskwarrior/default.nix
@@ -15,11 +15,13 @@ let
 in
 lib.optionalAttrs standalone {
  sops = {
-    secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "taskwarrior" [
-      "sync-server-url"
-      "sync-server-client-id"
-      "sync-encryption-secret"
-    ] { };
+    secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
+      taskwarrior = [
+        "sync-server-url"
+        "sync-server-client-id"
+        "sync-encryption-secret"
+      ];
+    };

    templates."taskrc.d/sync" = {
      content = ''
--- a/hosts/andromache/default.nix
+++ b/hosts/andromache/default.nix
@@ -57,6 +57,7 @@ in

  secrets.nixSigningKey.enable = true;

+  restic-backup.enable = true;
  tailscale.enable = true;

  docker.enable = true;
--- a/hosts/astyanax/default.nix
+++ b/hosts/astyanax/default.nix
@@ -53,6 +53,7 @@ in

  secrets.nixSigningKey.enable = true;

+  restic-backup.enable = true;
  tailscale.enable = true;
  docker.enable = true;
  nfc.enable = true;
--- a/hosts/eetion/default.nix
+++ b/hosts/eetion/default.nix
@@ -9,9 +9,12 @@
    ./host.nix
    ../../modules/common
    ../../modules/ssh
+    ../../modules/tailscale
    # ../../modules/uptime-kuma
  ];

+  tailscale.enable = true;
+
  ssh = {
    authorizedHosts = [
      "andromache"
--- a/modules/ai-tools/default.nix
+++ b/modules/ai-tools/default.nix
@@ -1,15 +1,14 @@
-{ config, myUtils, ... }:
+{ config, ... }:

 let
-  inherit (config.secrets) sopsDir;
  inherit (config.host) username;
-  owner = config.users.users.${username}.name;
+  inherit (config.secrets) owner;
 in
 {
-  config.sops = {
-    secrets = myUtils.mkSopsSecrets sopsDir "opencode" [ "api-key" ] { inherit owner; };
+  config = {
+    secrets.groups.opencode = [ "api-key" ];

-    templates."opencode/auth.json" = {
+    sops.templates."opencode/auth.json" = {
      inherit owner;
      path = "/home/${username}/.local/share/opencode/auth.json";
      content = ''
--- a/modules/anki/default.nix
+++ b/modules/anki/default.nix
@@ -1,12 +1,6 @@
-{ config, myUtils, ... }:
-
-let
-  inherit (config.secrets) sopsDir;
-  inherit (config.host) username;
-  owner = config.users.users.${username}.name;
-in
 {
-  config.sops = {
-    secrets = myUtils.mkSopsSecrets sopsDir "anki" [ "sync-user" "sync-key" ] { inherit owner; };
-  };
+  config.secrets.groups.anki = [
+    "sync-user"
+    "sync-key"
+  ];
 }
--- a/modules/backups/default.nix
+++ b/modules/backups/default.nix
@@ -1,57 +1,53 @@
 {
  lib,
  config,
-  myUtils,
  ...
 }:

 let
  cfg = config.restic-backup;
-  inherit (config.secrets) sopsDir;
+  host = config.networking.hostName;
 in
 {
-  options = {
-    restic-backup = {
-      repository = lib.mkOption {
-        type = lib.types.str;
-        default = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${config.networking.hostName}";
-      };
+  options.restic-backup = {
+    enable = lib.mkEnableOption "restic backups";

-      passwordFile = lib.mkOption {
-        type = lib.types.str;
-        default = config.sops.secrets."restic/password".path;
-      };
+    passwordFile = lib.mkOption {
+      type = lib.types.str;
+      default = config.sops.secrets."restic/password".path;
+    };

-      paths = lib.mkOption {
-        type = lib.types.listOf lib.types.str;
-        default = [ "/home" ];
-      };
+    paths = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ "/home" ];
    };
  };

-  config = {
-    sops = {
-      secrets = lib.mkMerge [
-        (myUtils.mkSopsSecrets sopsDir "restic" [ "password" ] { })
-        (myUtils.mkSopsSecrets sopsDir "backblaze-b2" [ "bucket-name" "account-id" "account-key" ] { })
+  config = lib.mkIf cfg.enable {
+    secrets.groups = {
+      restic = [ "password" ];
+      backblaze-b2 = [
+        "bucket-name"
+        "account-id"
+        "account-key"
      ];
-      templates = {
-        "restic/repo-${config.networking.hostName}" = {
-          content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${config.networking.hostName}";
-        };
-        "restic/b2-env-${config.networking.hostName}" = {
-          content = ''
-            B2_ACCOUNT_ID=${config.sops.placeholder."backblaze-b2/account-id"}
-            B2_ACCOUNT_KEY=${config.sops.placeholder."backblaze-b2/account-key"}
-          '';
-        };
+    };
+
+    sops.templates = {
+      "restic/repo-${host}" = {
+        content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${host}";
+      };
+      "restic/b2-env-${host}" = {
+        content = ''
+          B2_ACCOUNT_ID=${config.sops.placeholder."backblaze-b2/account-id"}
+          B2_ACCOUNT_KEY=${config.sops.placeholder."backblaze-b2/account-key"}
+        '';
      };
    };

    services.restic.backups.home = {
-      repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path;
-      inherit (cfg) passwordFile;
-      inherit (cfg) paths;
+      repositoryFile = config.sops.templates."restic/repo-${host}".path;
+      inherit (cfg) passwordFile paths;
      timerConfig = {
        OnCalendar = "daily";
        Persistent = true;
@@ -64,7 +60,7 @@ in
        "--keep-monthly 6"
        "--keep-yearly 1"
      ];
-      environmentFile = config.sops.templates."restic/b2-env-${config.networking.hostName}".path;
+      environmentFile = config.sops.templates."restic/b2-env-${host}".path;
    };
  };
 }
--- a/modules/hcloud/default.nix
+++ b/modules/hcloud/default.nix
@@ -1,14 +1,13 @@
 {
  lib,
  config,
-  myUtils,
  ...
 }:

 let
  cfg = config.hcloud;
  inherit (config.host) username;
-  inherit (config.secrets) sopsDir;
+  inherit (config.secrets) owner;
 in
 {
  options.hcloud = {
@@ -16,12 +15,10 @@ in
  };

  config = lib.mkIf cfg.enable {
-    sops.secrets = myUtils.mkSopsSecrets sopsDir "hcloud" [ "api-token" ] {
-      owner = config.users.users.${username}.name;
-    };
+    secrets.groups.hcloud = [ "api-token" ];

    sops.templates."hcloud/cli.toml" = {
-      owner = config.users.users.${username}.name;
+      inherit owner;
      path = "/home/${username}/.config/hcloud/cli.toml";
      content = ''
        active_context = "server"
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -12,7 +12,6 @@ let
  inherit (config.host) username;
  inherit (cfg) sopsDir;
  owner = config.users.users.${username}.name;
-  mkSopsSecrets = myUtils.mkSopsSecrets sopsDir;
 in
 {
  imports = [ inputs.sops-nix.nixosModules.sops ];
@@ -24,6 +23,15 @@ in
        default = "${toString inputs.nix-secrets}/secrets";
      };

+      groups = lib.mkOption {
+        type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+        default = { };
+      };
+
+      owner = lib.mkOption {
+        type = lib.types.unspecified;
+      };
+
      nixSigningKey = {
        enable = lib.mkEnableOption "nix signing key configuration";
      };
@@ -35,27 +43,28 @@ in
  };

  config = {
+    secrets = {
+      inherit owner;
+      groups = {
+        email = [
+          "personal"
+          "work"
+        ];
+        nix = lib.optional cfg.nixSigningKey.enable "signing-key";
+      };
+    };
+
    sops = {
      # for yubikey, generate as follows:
      # ```
      # age-plugin-yubikey --identity > <keyfile-path>
      # ```
      age.keyFile = "/home/${username}/.config/sops/age/keys.txt";
-
-      secrets = lib.mkMerge [
-        (mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; })
-        (lib.mkIf cfg.nixSigningKey.enable {
-          nix-signing-key = {
-            sopsFile = "${sopsDir}/nix.yaml";
-            key = "signing-key";
-            inherit owner;
-          };
-        })
-      ];
+      secrets = myUtils.mkSopsSecrets sopsDir owner cfg.groups;
    };

    nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [
-      config.sops.secrets.nix-signing-key.path
+      config.sops.secrets."nix/signing-key".path
    ];

    services = {
--- a/modules/taskwarrior/default.nix
+++ b/modules/taskwarrior/default.nix
@@ -1,19 +1,17 @@
-{ config, myUtils, ... }:
+{ config, ... }:

 let
-  inherit (config.secrets) sopsDir;
-  inherit (config.host) username;
-  owner = config.users.users.${username}.name;
+  inherit (config.secrets) owner;
 in
 {
-  config.sops = {
-    secrets = myUtils.mkSopsSecrets sopsDir "taskwarrior" [
+  config = {
+    secrets.groups.taskwarrior = [
      "sync-server-url"
      "sync-server-client-id"
      "sync-encryption-secret"
-    ] { inherit owner; };
+    ];

-    templates."taskrc.d/sync" = {
+    sops.templates."taskrc.d/sync" = {
      inherit owner;
      content = ''
        sync.server.url=${config.sops.placeholder."taskwarrior/sync-server-url"}
--- a/utils/default.nix
+++ b/utils/default.nix
@@ -1,41 +1,12 @@
 { lib }:

+let
+  hosts = import ./hosts.nix;
+  secrets = import ./secrets.nix { inherit lib; };
+in
 {
  dirNames =
    path: builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir path));
-
-  hostMeta =
-    hostDir:
-    if builtins.pathExists (hostDir + "/meta.nix") then
-      import (hostDir + "/meta.nix")
-    else
-      throw "meta.nix required in ${hostDir}";
-
-  mkSopsSecrets =
-    sopsDir: group: names: extraOpts:
-    let
-      file = "${group}.yaml";
-    in
-    lib.foldl' lib.mergeAttrs { } (
-      map (name: {
-        "${group}/${name}" = {
-          sopsFile = "${sopsDir}/${file}";
-          key = name;
-        }
-        // extraOpts;
-      }) names
-    );
-
-  sopsAvailability =
-    config: osConfig:
-    let
-      osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? secrets;
-      hmSopsAvailable = config ? sops && config.sops ? secrets;
-      preferOs = osSopsAvailable;
-    in
-    {
-      available = osSopsAvailable || hmSopsAvailable;
-      secrets = if preferOs then osConfig.sops.secrets else config.sops.secrets;
-      templates = if preferOs then osConfig.sops.templates else config.sops.templates;
-    };
 }
+// hosts
+// secrets
--- a/utils/hosts.nix
+++ b/utils/hosts.nix
@@ -0,0 +1,8 @@
+{
+  hostMeta =
+    hostDir:
+    if builtins.pathExists (hostDir + "/meta.nix") then
+      import (hostDir + "/meta.nix")
+    else
+      throw "meta.nix required in ${hostDir}";
+}
--- a/utils/secrets.nix
+++ b/utils/secrets.nix
@@ -0,0 +1,37 @@
+{ lib }:
+
+{
+  mkSopsSecrets =
+    sopsDir: owner: groups:
+    let
+      opts = lib.optionalAttrs (owner != null) { inherit owner; };
+      mkGroup =
+        group: names:
+        let
+          file = "${group}.yaml";
+        in
+        lib.foldl' lib.mergeAttrs { } (
+          map (name: {
+            "${group}/${name}" = {
+              sopsFile = "${sopsDir}/${file}";
+              key = name;
+            }
+            // opts;
+          }) names
+        );
+    in
+    lib.foldl' lib.mergeAttrs { } (lib.mapAttrsToList mkGroup groups);
+
+  sopsAvailability =
+    config: osConfig:
+    let
+      osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? secrets;
+      hmSopsAvailable = config ? sops && config.sops ? secrets;
+      preferOs = osSopsAvailable;
+    in
+    {
+      available = osSopsAvailable || hmSopsAvailable;
+      secrets = if preferOs then osConfig.sops.secrets else config.sops.secrets;
+      templates = if preferOs then osConfig.sops.templates else config.sops.templates;
+    };
+}
Author	SHA1	Message	Date
hektor	db2bbb86ba	chore: update lockfile	2026-04-21 22:08:28 +02:00
hektor	72c3710a3c	refactor(secrets): simplify secrets	2026-04-21 22:08:28 +02:00
hektor	b62f3c20ac	refactor(backups): simplify backups module	2026-04-21 21:39:23 +02:00
hektor	dd31da5a8f	fix: add home manager 'secrets' module to andromache	2026-04-21 21:39:17 +02:00
hektor	bc6d8b6305	fix: remove nodeNixpkgs from colmena	2026-04-21 21:38:55 +02:00
hektor	fce3aa45ec	refactor: modularize utils	2026-04-21 21:37:31 +02:00
hektor	949917a809	feat(direnv): set up direnv using '.envrc'	2026-04-21 21:37:25 +02:00
hektor	0dd1ecef91	feat: set up tailscale on 'eetion' host	2026-04-21 21:37:17 +02:00