treewide: don't reference <secrets> explicitly

author: tv <tv@krebsco.de> 2023-09-11 15:31:13 +0200
committer: tv <tv@krebsco.de> 2023-09-11 16:10:41 +0200
commit: 5370e0485788224126861e076110ac705013d2de (patch)
tree: 15838192c1ebf685733cbf39b3f3e37fd1ebd639 /tv
parent: 8fc162ee3d9525a2b45346a1ca8f34ccb5ef971b (diff)
10 files changed, 15 insertions, 13 deletions
diff --git a/tv/2configs/binary-cache/default.nix b/tv/2configs/binary-cache/default.nix
index 66d74071..5b4e7510 100644
--- a/tv/2configs/binary-cache/default.nix
+++ b/tv/2configs/binary-cache/default.nix
@@ -11,7 +11,7 @@
 
   services.nix-serve = {
     enable = true;
-    secretKeyFile = toString <secrets> + "/nix-serve.key";
+    secretKeyFile = "${config.krebs.secret.directory}/nix-serve.key";
   };
 
   services.nginx = {
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index a8d840c1..91aad54c 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -10,7 +10,6 @@ with import ./lib;
   networking.hostName = config.krebs.build.host.name;
 
   imports = [
-    <secrets>
     ./backup.nix
     ./bash
     ./htop.nix
@@ -28,6 +27,11 @@ with import ./lib;
         defaultUserShell = "/run/current-system/sw/bin/bash";
         mutableUsers = false;
         users = {
+          root = {
+            openssh.authorizedKeys.keys = [
+              config.krebs.users.tv.pubkey
+            ];
+          };
           tv = {
             inherit (config.krebs.users.tv) home uid;
             isNormalUser = true;
diff --git a/tv/2configs/gitrepos.nix b/tv/2configs/gitrepos.nix
index 58dffe6a..102d264b 100644
--- a/tv/2configs/gitrepos.nix
+++ b/tv/2configs/gitrepos.nix
@@ -178,9 +178,7 @@ with import ./lib;
           '';
         };
       };
-    } //
-    # TODO don't put secrets/repos.nix into the store
-    import <secrets/repos.nix> { inherit config lib pkgs; }
+    }
   );
 
   irc-announce = args: pkgs.git-hooks.irc-announce (recursiveUpdate {
diff --git a/tv/2configs/initrd/sshd.nix b/tv/2configs/initrd/sshd.nix
index eff84807..d7264f07 100644
--- a/tv/2configs/initrd/sshd.nix
+++ b/tv/2configs/initrd/sshd.nix
@@ -12,6 +12,6 @@
     ignoreEmptyHostKeys = true;
   };
   boot.initrd.secrets = {
-    "/etc/ssh/ssh_host_rsa_key" = <secrets/initrd/ssh_host_rsa_key>;
+    "/etc/ssh/ssh_host_rsa_key" = "${config.krebs.secret.directory}/initrd/ssh_host_rsa_key";
   };
 }
diff --git a/tv/2configs/ppp.nix b/tv/2configs/ppp.nix
index 24d2831c..b3ae4da8 100644
--- a/tv/2configs/ppp.nix
+++ b/tv/2configs/ppp.nix
@@ -1,7 +1,7 @@
 with import ./lib;
 { config, pkgs, ... }: let
   cfg = {
-    pin = "@${toString <secrets/o2.pin>}";
+    pin = "@${config.krebs.secret.directory}/o2.pin";
     ttys.ppp = "/dev/ttyACM0";
     ttys.com = "/dev/ttyACM1";
   };
diff --git a/tv/2configs/wiregrill.nix b/tv/2configs/wiregrill.nix
index edf65e97..cace01a6 100644
--- a/tv/2configs/wiregrill.nix
+++ b/tv/2configs/wiregrill.nix
@@ -12,7 +12,7 @@ in
         optional (cfg.net.ip4 != null) cfg.net.ip4.addr ++
         optional (cfg.net.ip6 != null) cfg.net.ip6.addr;
       listenPort = 51820;
-      privateKeyFile = (toString <secrets>) + "/wiregrill.key";
+      privateKeyFile = "${config.krebs.secret.directory}/wiregrill.key";
       allowedIPsAsRoutes = true;
       peers = mapAttrsToList
         (_: host: {
diff --git a/tv/3modules/charybdis/default.nix b/tv/3modules/charybdis/default.nix
index 4a0f9950..1fdcea57 100644
--- a/tv/3modules/charybdis/default.nix
+++ b/tv/3modules/charybdis/default.nix
@@ -17,11 +17,11 @@ in {
     };
     ssl_dh_params = mkOption {
       type = types.absolute-pathname;
-      default = toString <secrets> + "/charybdis.dh.pem";
+      default = "${config.krebs.secret.directory}/charybdis.dh.pem";
     };
     ssl_private_key = mkOption {
       type = types.absolute-pathname;
-      default = toString <secrets> + "/charybdis.key.pem";
+      default = "${config.krebs.secret.directory}/charybdis.key.pem";
     };
     sslport = mkOption {
       type = types.int;
diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix
index 71a1a597..61fd8fdf 100644
--- a/tv/3modules/ejabberd/default.nix
+++ b/tv/3modules/ejabberd/default.nix
@@ -20,7 +20,7 @@ in {
     certfiles = mkOption {
       type = types.listOf types.absolute-pathname;
       default = [
-        (toString <secrets> + "/ejabberd.pem")
+        "${config.krebs.secret.directory}/ejabberd.pem"
       ];
     };
     configFile = mkOption {
diff --git a/tv/3modules/wwan.nix b/tv/3modules/wwan.nix
index 382f5a53..0cdfbf36 100644
--- a/tv/3modules/wwan.nix
+++ b/tv/3modules/wwan.nix
@@ -19,7 +19,7 @@ with import ./lib;
     };
     tv.wwan.secrets = mkOption {
       type = with types; pathname;
-      default = toString <secrets/wwan.json>;
+      default = "${config.krebs.secret.directory}/wwan.json";
       # format: {"pin1":number}
     };
   };
diff --git a/tv/3modules/x0vncserver.nix b/tv/3modules/x0vncserver.nix
index eb9b1ae4..c8e23d06 100644
--- a/tv/3modules/x0vncserver.nix
+++ b/tv/3modules/x0vncserver.nix
@@ -9,7 +9,7 @@ in {
     };
     enable = mkEnableOption "tv.x0vncserver";
     pwfile = mkOption {
-      default = toString <secrets> + "/vncpasswd";
+      default = "${config.krebs.secret.directory}/vncpasswd";
       description = ''
         Use vncpasswd to edit pwfile.
         See: nix-shell -p tigervnc --run 'man vncpasswd'
author	tv <tv@krebsco.de>	2023-09-11 15:31:13 +0200
committer	tv <tv@krebsco.de>	2023-09-11 16:10:41 +0200
commit	5370e0485788224126861e076110ac705013d2de (patch)
tree	15838192c1ebf685733cbf39b3f3e37fd1ebd639 /tv
parent	8fc162ee3d9525a2b45346a1ca8f34ccb5ef971b (diff)