sops -> clan facts

nixos/machines/chungus/configuration.nix

@@ -20,7 +20,8 @@
     ./hass-zigbee2mqtt.nix
     ./hass.nix
 
-    ./taskwarrior-autotag.nix
+    # todo: add autotag again
+    #./taskwarrior-autotag.nix
 
     ./media-audiobookshelf.nix
     ./media-castget.nix
@@ -33,7 +34,6 @@
     ./telemetry/grafana.nix
     ./telemetry/telegraf-smart.nix
     ./telemetry/telegraf.nix
-    #./telemetry/opentelemetry-hass.nix
     ./telemetry/prometheus.nix
     ./telemetry/loki.nix # todo enable this one again
 

nixos/machines/chungus/services-s3.nix

@@ -1,13 +1,14 @@
 { config, ... }:
 {
+
+  clanCore.facts.services.s3 = factsGenerator.password { name = "root"; service = "s3"; };
+
   services.minio = {
     enable = true;
     region = "home";
-    rootCredentialsFile = config.sops.secrets.minioRootCredentials.path;
+    rootCredentialsFile = config.clanCore.facts.services.s3.secret."s3.root".path;
   };
 
-  sops.secrets.minioRootCredentials = { };
-
   services.nginx = {
     enable = true;
     virtualHosts."s3.${config.networking.hostName}.private" = {

nixos/machines/chungus/taskwarrior-autotag.nix

@@ -1,28 +1,42 @@
 { config, lib, pkgs, ... }:
 
 {
-  sops.secrets.autotagTaskwarriorCa = {
+
-    owner = "taskwarrior-autotag";
+  clanCore.facts.services.taskserver = {
-    key = "taskwarriorCa";
+    secret."taskserver.ca" = { };
-  };
+    secret."taskserver.cert" = { };
-  sops.secrets.autotagTaskwarriorCertificate = {
+    secret."taskserver.key" = { };
-    owner = "taskwarrior-autotag";
+    generator.script = "";
-    key = "taskwarriorCertificate";
-  };
-  sops.secrets.autotagTaskwarriorKey = {
-    owner = "taskwarrior-autotag";
-    key = "taskwarriorKey";
   };
 
+  #sops.secrets.autotagTaskwarriorCa = {
+  #  owner = "taskwarrior-autotag";
+  #  key = "taskwarriorCa";
+  #};
+  #sops.secrets.autotagTaskwarriorCertificate = {
+  #  owner = "taskwarrior-autotag";
+  #  key = "taskwarriorCertificate";
+  #};
+  #sops.secrets.autotagTaskwarriorKey = {
+  #  owner = "taskwarrior-autotag";
+  #  key = "taskwarriorKey";
+  #};
+
   services.taskwarrior-autotag = {
     enable = true;
     recurrence = "off";
     onCalendar = "hourly";
     server = "taskd.ingolf-wagner.de:53589";
-    caFile = config.sops.secrets.autotagTaskwarriorCa.path;
+
-    certificateFile = config.sops.secrets.autotagTaskwarriorCertificate.path;
+    #caFile = config.sops.secrets.autotagTaskwarriorCa.path;
-    keyFile = config.sops.secrets.autotagTaskwarriorKey.path;
+    #certificateFile = config.sops.secrets.autotagTaskwarriorCertificate.path;
+    #keyFile = config.sops.secrets.autotagTaskwarriorKey.path;
+
     credentials = "1337/palo/ad40dce8-4b38-4011-b032-60a91b6f22cd";
+
+    caFile = config.clanCore.facts.services.taskserver.secret."taskserver.ca".path;
+    certificateFile = config.clanCore.facts.services.taskserver.secret."taskserver.cert".path;
+    keyFile = config.clanCore.facts.services.taskserver.secret."taskserver.key".path;
   };
 
 }

nixos/machines/chungus/telemetry/opentelemetry-hass.nix

@@ -1,38 +0,0 @@
-{ config, ... }:
-{
-
-  #{
-  #  name = "home-assistant";
-  #  rules = [
-  #    {
-  #      record = "home_open_window_sum";
-  #      expr = ''sum( homeassistant_binary_sensor_state{entity=~"binary_sensor\\.window_02_contact|binary_sensor\\.window_03_contact|binary_sensor\\.window_04_contact|binary_sensor\\.window_05_contact|binary_sensor\\.window_06_contact|binary_sensor\\.window_07_contact"} )'';
-  #    }
-  #  ] ++ (map
-  #    (number:
-  #      {
-  #        record = "home_at_least_n_windows_open";
-  #        expr = ''home_open_window_sum >= bool ${toString number}'';
-  #        labels.n = number;
-  #      }) [ 1 2 3 ]);
-  #};
-
-  sops.secrets.hass_long_term_token.owner = "prometheus";
-
-  services.opentelemetry-collector.settings = {
-    service.pipelines.metrics.receivers = [ "prometheus" ];
-    receivers.prometheus.config.scrape_configs = [
-      {
-        # see https://www.home-assistant.io/integrations/prometheus/
-        job_name = "home-assistant";
-        scrape_interval = "60s";
-        metrics_path = "/api/prometheus";
-        bearer_token_file = toString config.sops.secrets.hass_long_term_token.path;
-        static_configs = [{
-          targets = [ "127.0.0.1:8123" ];
-        }];
-      }
-    ];
-
-  };
-}

nixos/machines/cream/configuration.nix

@@ -21,9 +21,6 @@
 
   system.stateVersion = "22.11";
 
-  sops.secrets.pushover_user_key = { };
-  sops.secrets.pushover_api_key = { };
-
   # Use the systemd-boot EFI boot loader, not grub
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;

nixos/machines/orbi/media-nextcloud.nix

@@ -1,4 +1,4 @@
-{ pkgs, config, ... }:
+{ pkgs, config, factsGenerator, ... }:
 
 # don't forget the database backup before upgrading
 # -------------------------------------------------
@@ -50,8 +50,11 @@ in
     };
   };
 
-  sops.secrets.nextcloud_database_password.owner = "nextcloud";
+  #sops.secrets.nextcloud_database_password.owner = "nextcloud";
-  sops.secrets.nextcloud_root_password.owner = "nextcloud";
+  #sops.secrets.nextcloud_root_password.owner = "nextcloud";
+
+  clanCore.facts.services.nextcloud_root = factsGenerator.password { service = "nextcloud"; name = "root"; };
+  clanCore.facts.services.nextcloud_database = factsGenerator.password { service = "nextcloud"; name = "database"; };
 
   users.users.nextcloud = {
     isSystemUser = true;
@@ -72,12 +75,14 @@ in
     # mount host folders
     bindMounts = {
       rootpassword = {
-        hostPath = "/run/secrets/nextcloud_root_password";
+        #hostPath = "/run/secrets/nextcloud_root_password";
+        hostPath = config.clanCore.facts.services.nextcloud_root.secret."nextcloud.root".path;
         mountPoint = "/run/secrets/nextcloud_root_password";
         isReadOnly = true;
       };
       databasepassword = {
-        hostPath = "/run/secrets/nextcloud_database_password";
+        #hostPath = "/run/secrets/nextcloud_database_password";
+        hostPath = config.clanCore.facts.services.nextcloud_database.secret."nextcloud.database".path;
         mountPoint = "/run/secrets/nextcloud_database_password";
         isReadOnly = true;
       };