From ed8a15bfeab7ee568bf8abc67309a730afa58b6b Mon Sep 17 00:00:00 2001
From: cy <hi@cything.io>
Date: Mon, 16 Dec 2024 21:45:58 -0500
Subject: [PATCH] secrets: migrate ytnix to new structure

---
 hosts/ytnix/.sops.yaml   |  7 -------
 hosts/ytnix/default.nix  | 28 ++++++++++++++++------------
 hosts/ytnix/secrets.yaml | 29 -----------------------------
 3 files changed, 16 insertions(+), 48 deletions(-)
 delete mode 100644 hosts/ytnix/.sops.yaml
 delete mode 100644 hosts/ytnix/secrets.yaml

diff --git a/hosts/ytnix/.sops.yaml b/hosts/ytnix/.sops.yaml
deleted file mode 100644
index 99be1e4..0000000
--- a/hosts/ytnix/.sops.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-keys:
-  - &primary age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
-creation_rules:
-  - path_regex: secrets.yaml$
-    key_groups:
-    - age:
-      - *primary
diff --git a/hosts/ytnix/default.nix b/hosts/ytnix/default.nix
index 72c495b..5c8868b 100644
--- a/hosts/ytnix/default.nix
+++ b/hosts/ytnix/default.nix
@@ -11,15 +11,19 @@
     ../common.nix
   ];
 
-  sops.defaultSopsFile = ./secrets.yaml;
-  sops.defaultSopsFormat = "yaml";
-  sops.age.keyFile = "/root/.config/sops/age/keys.txt";
   sops.secrets = {
-    "borg/yt" = {};
-    "azure" = {};
-    "ntfy" = {};
-    "wireguard/private" = {};
-    "wireguard/psk" = {};
+    "services/borg/yt" = {
+      sopsFile = ../../secrets/services/borg/yt.yaml;
+    };
+    "services/ntfy" = {
+      sopsFile = ../../secrets/services/ntfy.yaml;
+    };
+    "wireguard/yt/private" = {
+      sopsFile = ../../secrets/wireguard/yt.yaml;
+    };
+    "wireguard/yt/psk" = {
+      sopsFile = ../../secrets/wireguard/yt.yaml;
+    };
   };
 
   boot = {
@@ -183,7 +187,7 @@
     repo = "de3911@de3911.rsync.net:borg/yt";
     encryption = {
       mode = "repokey-blake2";
-      passCommand = "cat /run/secrets/borg/yt";
+      passCommand = ''cat ${config.sops.secrets."borg/yt/rsyncnet".path}"'';
     };
     environment = {
       BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
@@ -195,7 +199,7 @@
     # warnings are often not that serious
     failOnWarnings = false;
     postHook = ''
-      ${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "ytnixRsync: backup completed with exit code: $exitStatus
+      ${pkgs.curl}/bin/curl -u $(cat ${config.sops.secrets."services/ntfy/ntfy".path}) -d "ytnixRsync: backup completed with exit code: $exitStatus
       $(journalctl -u borgbackup-job-ytnixRsync.service|tail -n 5)" \
       https://ntfy.cything.io/chunk
     '';
@@ -284,14 +288,14 @@
   # wireguard setup
   networking.wg-quick.interfaces.wg0 = {
     address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"];
-    privateKeyFile = "/run/secrets/wireguard/private";
+    privateKeyFile = config.sops.secrets."wireguard/yt/private".path;
     peers = [
       {
         publicKey = "a16/F/wP7HQIUtFywebqPSXQAktPsLgsMLH9ZfevMy0=";
         allowedIPs = ["0.0.0.0/0" "::/0"];
         endpoint = "31.59.129.225:51820";
         persistentKeepalive = 25;
-        presharedKeyFile = "/run/secrets/wireguard/psk";
+        presharedKeyFile = config.sops.secrets."wireguard/yt/psk".path;
       }
     ];
   };
diff --git a/hosts/ytnix/secrets.yaml b/hosts/ytnix/secrets.yaml
deleted file mode 100644
index 4b93538..0000000
--- a/hosts/ytnix/secrets.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-borg:
-    yt: ENC[AES256_GCM,data:CGcdcA9LnDDlTYJwsT25uY9h70yJtKhxgA==,iv:F25VTezkd4RQd7BZ3DD39hPiPj+Z3H01IgPhCGUQ5aM=,tag:mxLPXR/ffBXkByk1R1PYvQ==,type:str]
-restic:
-    azure-yt: ENC[AES256_GCM,data:s8TJ5cNVW2Jr7kyul8mrBGwdLoTlNTb2MfpZgPU=,iv:sC0DbgFbFl6vvLqwOFDwRa3nabrIWxOTuz7GXn17IHk=,tag:2MYprYgNhh1aFlzuyw5eGQ==,type:str]
-azure: ENC[AES256_GCM,data:UdHmasRElCFC66dxnnGTOw6vgOzrOIMiSLsczK0Qew2WBdZUKVnRTfSCxQrB7P8k+j3N2CDt5Y4GXvf9GVFrWCMOInOqYXcyycGXsdli2DbqpXTa3f13ykvc/aoKyw3YuFQdrNci3Kae9PYZ4v5f7fH8n4WgOKuYj3mO9k7WHxM1JBzYRRZP41Jghnb9SqVhl9UXVPI5ONBd6JI/FiezSMZPYC2FxNgQ7zHUQJ7qQ6aJTgRljslJK9I=,iv:bRoYEA1hbEXRG7PoU7Dfba9uRu3cAqfeuvSIfavZZ8M=,tag:cHXUe/njZNoG6EuHYYz0Yg==,type:str]
-ntfy: ENC[AES256_GCM,data:ZfTVhdzA1+L3B+g7tw==,iv:1dXDqYi5/zBQ9iphzjn/GHGDcl90J1NYHvHQpTsVPlg=,tag:RfB1/Zz9ITJQV89cuk9OcQ==,type:str]
-wireguard:
-    private: ENC[AES256_GCM,data:hPfJis6gbPPguuhNBViiZDmeFSaUXsgRrCGrhTFzbySIytVuaieU0BJSJQo=,iv:tYU41JTeB7Y50RQr1b+zGCgB5voZec2Vfmd350J1Tgc=,tag:aFMZoJhMToJDuuV8dc5Acg==,type:str]
-    psk: ENC[AES256_GCM,data:NhQ1lYFpjTpqbkhYyEpEcBTf6vewSeGevUnvCmruoZMSGA2ZWs+le8a0tAA=,iv:aBeVhzUwzBgochk4vtdqnUv61dZ5jELh28amx8XqyFI=,tag:9TvGx+sJaicX52FitOpOdA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhUmhsRDljYWJLS2tzUC90
-            a1oxZGZBUy9LaFpJeTF2MmZWQnl1NU0vQkc0CklnTGszaHRCRW5GYUU1OU9NVjVH
-            SW02OWVXNDNSMTFyV2NUU2xTV1dlTGMKLS0tIGpKT3lQd3I0T0xEMWo2ekd1MmM3
-            a1MwYjB0Tm03bzJnWTdoZ01KbXBPUkUKUr6hOsdZDJK6bFyEnBf4Vkms8EJsIvZY
-            ML481g9d9Vlm5x7X74nUcWemFSzttSdWEM3Y/IOHpXDbvC/Tbw+z7Q==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-14T23:07:47Z"
-    mac: ENC[AES256_GCM,data:GQUbR/ApVo6E5jqkGo79GDkRv7nj7Sa16ROCTg0uYO0xDmv9h/bPWBTUOfsU0G/0g3OvohLkBbmYA+hMx24xlLQzQkh8Z3dyAn9CcAJ2j9JLY7qHtSBpvafyPptvKzmPU0mnQpShgqYPCUhF6A2B2YAAvW+TknBih7eiKKeidkc=,iv:XLKIad/LZWuWUrrcXtF0UyNccLhoB0VSWXYCGDq/7Uc=,tag:lNyMV8Ses28gOj+KINem5A==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.2