refactor(secrets): move secrets to host-specific modules

author: schererleander <leander@schererleander.de> 2026-03-14 21:31:02 +0100
committer: schererleander <leander@schererleander.de> 2026-03-14 21:31:02 +0100
commit: a4f94bd55d6a732e63b75fa69ddbaa21778e6eb8 (patch)
tree: b04732c2a6aee8282ed0b996d6cb62b57d759e79 /modules/hosts/sachiel
parent: aa378b9e01e211f62063f0b6c1ad84417b15bb7f (diff)
2 files changed, 18 insertions, 11 deletions
diff --git a/modules/hosts/sachiel/flake-parts.nix b/modules/hosts/sachiel/flake-parts.nix
index e30a532..d2ce465 100644
--- a/modules/hosts/sachiel/flake-parts.nix
+++ b/modules/hosts/sachiel/flake-parts.nix
@@ -4,7 +4,6 @@
     specialArgs = { inherit inputs; };
     modules = [
       inputs.self.modules.nixos.sachiel
-      inputs.self.modules.nixos.secrets
       inputs.self.modules.nixos.openssh
       inputs.self.modules.nixos.nginx
       inputs.self.modules.nixos.nextcloud
diff --git a/modules/hosts/sachiel/secrets.nix b/modules/hosts/sachiel/secrets.nix
index c0968fd..c301477 100644
--- a/modules/hosts/sachiel/secrets.nix
+++ b/modules/hosts/sachiel/secrets.nix
@@ -7,6 +7,10 @@
         defaultSopsFile = inputs.self + /secrets/secrets.yaml;
         age.keyFile = "/etc/sops/age_key";
         secrets = {
+          "borgbase_ssh_key" = {
+            owner = "root";
+            mode = "0600";
+          };
           "nextcloud-secrets" = {
             owner = "nextcloud";
             group = "nextcloud";
@@ -16,7 +20,20 @@
             owner = "root";
             mode = "0600";
           };
-          # SSL certificates
+          "borg_git_repo" = {
+            owner = "root";
+            mode = "0600";
+          };
+          "borg_nextcloud_repo" = {
+            owner = "root";
+            mode = "0600";
+          };
+          "ssh_git_pubkey" = {
+            owner = "git";
+            group = "git";
+            mode = "0400";
+            path = "/var/lib/git-server/.ssh/authorized_keys";
+          };
           "cert_fullchain" = {
             owner = "nginx";
             group = "nginx";
@@ -25,15 +42,6 @@
             owner = "nginx";
             group = "nginx";
           };
-          # Backup configuration
-          "borgbase_ssh_key" = {
-            owner = "root";
-            mode = "0600";
-          };
-          "borg_repo" = {
-            owner = "root";
-            mode = "0600";
-          };
         };
       };
     };
author	schererleander <leander@schererleander.de>	2026-03-14 21:31:02 +0100
committer	schererleander <leander@schererleander.de>	2026-03-14 21:31:02 +0100
commit	a4f94bd55d6a732e63b75fa69ddbaa21778e6eb8 (patch)
tree	b04732c2a6aee8282ed0b996d6cb62b57d759e79 /modules/hosts/sachiel
parent	aa378b9e01e211f62063f0b6c1ad84417b15bb7f (diff)