From 5370e0485788224126861e076110ac705013d2de Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 11 Sep 2023 15:31:13 +0200
Subject: treewide: don't reference <secrets> explicitly

---
 tv/2configs/binary-cache/default.nix | 2 +-
 tv/2configs/default.nix              | 6 +++++-
 tv/2configs/gitrepos.nix             | 4 +---
 tv/2configs/initrd/sshd.nix          | 2 +-
 tv/2configs/ppp.nix                  | 2 +-
 tv/2configs/wiregrill.nix            | 2 +-
 tv/3modules/charybdis/default.nix    | 4 ++--
 tv/3modules/ejabberd/default.nix     | 2 +-
 tv/3modules/wwan.nix                 | 2 +-
 tv/3modules/x0vncserver.nix          | 2 +-
 10 files changed, 15 insertions(+), 13 deletions(-)

(limited to 'tv')

diff --git a/tv/2configs/binary-cache/default.nix b/tv/2configs/binary-cache/default.nix
index 66d740715..5b4e75107 100644
--- a/tv/2configs/binary-cache/default.nix
+++ b/tv/2configs/binary-cache/default.nix
@@ -11,7 +11,7 @@
 
   services.nix-serve = {
     enable = true;
-    secretKeyFile = toString <secrets> + "/nix-serve.key";
+    secretKeyFile = "${config.krebs.secret.directory}/nix-serve.key";
   };
 
   services.nginx = {
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index a8d840c15..91aad54cf 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -10,7 +10,6 @@ with import ./lib;
   networking.hostName = config.krebs.build.host.name;
 
   imports = [
-    <secrets>
     ./backup.nix
     ./bash
     ./htop.nix
@@ -28,6 +27,11 @@ with import ./lib;
         defaultUserShell = "/run/current-system/sw/bin/bash";
         mutableUsers = false;
         users = {
+          root = {
+            openssh.authorizedKeys.keys = [
+              config.krebs.users.tv.pubkey
+            ];
+          };
           tv = {
             inherit (config.krebs.users.tv) home uid;
             isNormalUser = true;
diff --git a/tv/2configs/gitrepos.nix b/tv/2configs/gitrepos.nix
index 58dffe6a6..102d264b6 100644
--- a/tv/2configs/gitrepos.nix
+++ b/tv/2configs/gitrepos.nix
@@ -178,9 +178,7 @@ with import ./lib;
           '';
         };
       };
-    } //
-    # TODO don't put secrets/repos.nix into the store
-    import <secrets/repos.nix> { inherit config lib pkgs; }
+    }
   );
 
   irc-announce = args: pkgs.git-hooks.irc-announce (recursiveUpdate {
diff --git a/tv/2configs/initrd/sshd.nix b/tv/2configs/initrd/sshd.nix
index eff848074..d7264f073 100644
--- a/tv/2configs/initrd/sshd.nix
+++ b/tv/2configs/initrd/sshd.nix
@@ -12,6 +12,6 @@
     ignoreEmptyHostKeys = true;
   };
   boot.initrd.secrets = {
-    "/etc/ssh/ssh_host_rsa_key" = <secrets/initrd/ssh_host_rsa_key>;
+    "/etc/ssh/ssh_host_rsa_key" = "${config.krebs.secret.directory}/initrd/ssh_host_rsa_key";
   };
 }
diff --git a/tv/2configs/ppp.nix b/tv/2configs/ppp.nix
index 24d2831c4..b3ae4da89 100644
--- a/tv/2configs/ppp.nix
+++ b/tv/2configs/ppp.nix
@@ -1,7 +1,7 @@
 with import ./lib;
 { config, pkgs, ... }: let
   cfg = {
-    pin = "@${toString <secrets/o2.pin>}";
+    pin = "@${config.krebs.secret.directory}/o2.pin";
     ttys.ppp = "/dev/ttyACM0";
     ttys.com = "/dev/ttyACM1";
   };
diff --git a/tv/2configs/wiregrill.nix b/tv/2configs/wiregrill.nix
index edf65e979..cace01a6b 100644
--- a/tv/2configs/wiregrill.nix
+++ b/tv/2configs/wiregrill.nix
@@ -12,7 +12,7 @@ in
         optional (cfg.net.ip4 != null) cfg.net.ip4.addr ++
         optional (cfg.net.ip6 != null) cfg.net.ip6.addr;
       listenPort = 51820;
-      privateKeyFile = (toString <secrets>) + "/wiregrill.key";
+      privateKeyFile = "${config.krebs.secret.directory}/wiregrill.key";
       allowedIPsAsRoutes = true;
       peers = mapAttrsToList
         (_: host: {
diff --git a/tv/3modules/charybdis/default.nix b/tv/3modules/charybdis/default.nix
index 4a0f99503..1fdcea572 100644
--- a/tv/3modules/charybdis/default.nix
+++ b/tv/3modules/charybdis/default.nix
@@ -17,11 +17,11 @@ in {
     };
     ssl_dh_params = mkOption {
       type = types.absolute-pathname;
-      default = toString <secrets> + "/charybdis.dh.pem";
+      default = "${config.krebs.secret.directory}/charybdis.dh.pem";
     };
     ssl_private_key = mkOption {
       type = types.absolute-pathname;
-      default = toString <secrets> + "/charybdis.key.pem";
+      default = "${config.krebs.secret.directory}/charybdis.key.pem";
     };
     sslport = mkOption {
       type = types.int;
diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix
index 71a1a597a..61fd8fdf1 100644
--- a/tv/3modules/ejabberd/default.nix
+++ b/tv/3modules/ejabberd/default.nix
@@ -20,7 +20,7 @@ in {
     certfiles = mkOption {
       type = types.listOf types.absolute-pathname;
       default = [
-        (toString <secrets> + "/ejabberd.pem")
+        "${config.krebs.secret.directory}/ejabberd.pem"
       ];
     };
     configFile = mkOption {
diff --git a/tv/3modules/wwan.nix b/tv/3modules/wwan.nix
index 382f5a535..0cdfbf36c 100644
--- a/tv/3modules/wwan.nix
+++ b/tv/3modules/wwan.nix
@@ -19,7 +19,7 @@ with import ./lib;
     };
     tv.wwan.secrets = mkOption {
       type = with types; pathname;
-      default = toString <secrets/wwan.json>;
+      default = "${config.krebs.secret.directory}/wwan.json";
       # format: {"pin1":number}
     };
   };
diff --git a/tv/3modules/x0vncserver.nix b/tv/3modules/x0vncserver.nix
index eb9b1ae4e..c8e23d06e 100644
--- a/tv/3modules/x0vncserver.nix
+++ b/tv/3modules/x0vncserver.nix
@@ -9,7 +9,7 @@ in {
     };
     enable = mkEnableOption "tv.x0vncserver";
     pwfile = mkOption {
-      default = toString <secrets> + "/vncpasswd";
+      default = "${config.krebs.secret.directory}/vncpasswd";
       description = ''
         Use vncpasswd to edit pwfile.
         See: nix-shell -p tigervnc --run 'man vncpasswd'
-- 
cgit v1.2.3