Reorganize some sops stuff

machines/sue/configuration.nix

@@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  self,
+  pkgs,
+  ...
+}: {
   config = {
     pim = {
       lanzaboote.enable = true;
@@ -8,13 +12,7 @@
       wireguard.enable = true;
       compliance.enable = true;
 
-      sopsKeys = {
-        # This is the root of our secret system.
-        # Don't deploy this though; if it fails,
-        # the key will be wiped.
-        # root = ./nixos.sops.yaml;
-        pim = ./pim.sops.yaml;
-      };
+      sops-nix.usersWithSopsKeys = ["pim"];
     };
 
     users.users.pim = {
@@ -36,7 +34,7 @@
 
     sops = {
       age.keyFile = "/root/.config/sops/age/keys.txt";
-      defaultSopsFile = ./nixos.sops.yaml;
+      defaultSopsFile = "${self}/secrets/sue/nixos.yaml";
     };
 
     environment.systemPackages = with pkgs; [

machines/sue/nixos.sops.yaml

@@ -1,25 +0,0 @@
-sops_age_key: ENC[AES256_GCM,data:xKGTAF5cVgysZPbcDgs0QF92Bw6wW78n9fm2RMdeLtywn0ga4qBO8YlrIQWCc2SfFQOTZUlz0e7QWsnbZpxN4p03XF1zusU0ceM=,iv:cDjqDYR3PKx3AbLQL5QbeFK26+Cnsk2m74mHPHIozNs=,tag:C2MzZLR2cQY/gHQNTId8UA==,type:str]
-wireguard:
-    home:
-        presharedKey: ENC[AES256_GCM,data:nFOqWcdo8zG83v1ceod8Uy4wX3w2LHmDPp2PaAAJ/lUexU4DhY9RZ4wtgC8=,iv:UvzQSZZ62I+QVFHMkHczC2KPeqX8z+DodS7nxLmXr4U=,tag:otwdNc2636DJdkzg22puqQ==,type:str]
-        privateKey: ENC[AES256_GCM,data:RCQ3hvrnxCerTmKYfZFV7c9smMj5tbP+iFWouo1oxfhbec5K3uXipkL+KSg=,iv:zKSPvtDH3WcuxVpQydGScX6m0isZzLKk/F+/Wlpt/YQ=,tag:BDag2DSoHQDzg8xTS3SX3A==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWEc5K3p3QytpZ1pxeEJy
-            TUtENXdnT3ZJUGNXaHo0ZktwK21OMVJmNzA4CjdlMUtWY2hBc3U1UVZQZEllK2xC
-            NGZSK2VyQVdBRmZYejBWM0FIeFE5K2MKLS0tIEQ3MHhOcW92dlo4NUdBdFlKdEM0
-            N1Rab3RNZ00vd0xPOVBYRHphaldWU1EKNKnKPWO1l8NwWXG2e15Y3td9I0rN9Wwn
-            QdoeVf2+cPJOO5g9stZpl2DBF3QxJojt+dQhwjuEbP9nQtlVQPAlMQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-21T21:16:17Z"
-    mac: ENC[AES256_GCM,data:Z2mYTek91FLKgMpAFdRl8s2eE6r/03f9/E/XDvkwJZutI40qN6tFrDmhdPIb1U96oPGekcK9WkShIQekQIK6CiDhOAr048x2kSXvrHMZ1hg1hwO7H6jBJiFSRxM1BVBAlbcvZp5IW7e3CqfibVOgXOQvMl0CDS41ucQWV7odO6Y=,iv:7rb/VemE+cFhJ+8XUeLyp+K7FmY0XdAbgs6XWHLrV7M=,tag:vmPRTB9+EYjPLgX4qiFlXw==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

machines/sue/pim.home.nix

@@ -1,4 +1,5 @@
 {
+  self,
   pkgs,
   config,
   ...
@@ -22,7 +23,7 @@
     };
 
     sops = {
-      defaultSopsFile = ./pim.sops.yaml;
+      defaultSopsFile = "${self}/secrets/sue/pim.yaml";
       age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
       secrets."keepassxc".path = "${config.xdg.configHome}/keepassxc/keepassxc.ini";
     };