Move secrets to flakes

[perso/Immae/Config/Nix.git] / modules / private / system.nix

diff --git a/modules/private/system.nix b/modules/private/system.nix
index 0e72d9962fec977563a3607002aa44910cc42f89..8be7368d8d4a2e306f8307c691948062feeb0962 100644 (file)
--- a/modules/private/system.nix
+++ b/modules/private/system.nix
@@ -1,10 +1,24 @@
 { pkgs, lib, config, name, nodes, ... }:
 {
   config = {
+    deployment.secrets."secret_vars.yml" = {
+      source = builtins.toString ../../nixops/secrets/vars.yml;
+      destination = config.secrets.secretsVars;
+      owner.user = "root";
+      owner.group = "root";
+      permissions = "0400";
+    };
+
     networking.extraHosts = builtins.concatStringsSep "\n"
       (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes);
 
-    users.extraUsers.root.openssh.authorizedKeys.keyFiles = [ "${config.myEnv.privateFiles}/id_ed25519.pub" ];
+    users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
+    secrets.deleteSecretsVars = true;
+    secrets.gpgKeys = [
+      ../../nixops/public_keys/Immae.pub
+    ];
+    secrets.secretsVars = "/run/keys/vars.yml";
+
     services.openssh.enable = true;
 
     services.duplyBackup.profiles.system = {