krops works, but secrets are not

configs/sterni/configuration.nix

@@ -2,9 +2,9 @@
 
   imports = [
 
-    <system/desktop>
-    ./hardware-configuration.nix
+    ../../system/desktop
 
+    ./hardware-configuration.nix
     ./packages.nix
     ./syncthing.nix
     ./tinc.nix

configs/sterni/hardware-configuration.nix

@@ -1,11 +1,11 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, modulesPath, ... }:
 
 {
 
-  imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
+  imports = [ "${modulesPath}/installer/scan/not-detected.nix" ];
 
   boot.initrd.availableKernelModules =
     [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];

configs/sterni/packages.nix

@@ -1,7 +1,5 @@
 { config, lib, pkgs, ... }:
 let
-  unstable = import <nixpkgs-unstable> { };
-
   nextcloudSync = folder:
     pkgs.writers.writeBashBin "nextcloud-sync-${folder}" ''
       ${pkgs.nextcloud-client}/bin/nextcloudcmd \
@@ -13,9 +11,6 @@ let
 
 in {
 
-  # overlay included
-  nixpkgs.overlays = [ (import <mozilla-overlay/rust-overlay.nix>) ];
-
   environment.systemPackages = with pkgs; [
 
     (nextcloudSync "InstantUpload")
@@ -43,7 +38,6 @@ in {
     bitwig-studio3
     sonic-pi
     jack2
-    #unstable.sonic-visualiser
     sononym-crawler
     darktable
 

configurations.nix

@@ -1,4 +1,5 @@
 { nixosSystem, home-manager, nixpkgs-unstable, ... }: {
+
   sterni = nixosSystem {
     system = "x86_64-linux";
     modules = [
@@ -17,8 +18,11 @@
           })
         ];
 
+        # overlay included (todo?)
+        # nixpkgs.overlays = [ (import <mozilla-overlay/rust-overlay.nix>) ];
+
         # imports of modules
-        imports = [ <backup-module> <krops-lib> <cluster-module> <modules> ];
+        # imports = [ <backup-module> <krops-lib> <cluster-module> <modules> ];
       })
     ];
   };

flake.lock

@@ -290,6 +290,22 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1625223284,
+        "narHash": "sha256-jjLcDSU1rRiJb+n3uez23XAa7kbnPcGZTa6jIKh1GMQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "357d2c8f6087685fe35cb1889a005a4dd4cce7b8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nose": {
       "flake": false,
       "locked": {
@@ -409,7 +425,9 @@
         "krops": "krops",
         "nix-doom-emacs": "nix-doom-emacs",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "secrets": "secrets",
+        "sops-nix": "sops-nix"
       }
     },
     "rotate-text": {
@@ -427,6 +445,36 @@
         "repo": "rotate-text.el",
         "type": "github"
       }
+    },
+    "secrets": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-R8u4x1+HiTKm2j3ytycGiV4UqCKiih+qGd2Pr9icvQY=",
+        "path": "/home/palo/dev/secrets",
+        "type": "path"
+      },
+      "original": {
+        "path": "/home/palo/dev/secrets",
+        "type": "path"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1632485730,
+        "narHash": "sha256-+anQTUUHxdpjLnTWqk9TJhWRYMI+1F2iVZKCq8SH4hg=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "64235a958b9ceedf98a3212c13b0dea3a504598f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -3,6 +3,11 @@
   description = "my krops file";
 
   inputs = {
+    secrets = {
+      url = "path:/home/palo/dev/secrets";
+      flake = false;
+    };
+    sops-nix.url = "github:Mic92/sops-nix";
     flake-utils.url = "github:numtide/flake-utils";
     nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
@@ -16,14 +21,13 @@
     };
     krops = {
       url = "github:Mic92/krops";
-      #url = "file:/home/palo/dev/krops-mic92-fork";
       inputs.flake-utils.follows = "flake-utils";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
 
-  outputs = { self, nixpkgs, home-manager, krops, flake-utils, nix-doom-emacs
-    , nixpkgs-unstable, ... }:
+  outputs = { self, sops-nix, nixpkgs, home-manager, krops, flake-utils
+    , nix-doom-emacs, nixpkgs-unstable, secrets, ... }:
     (flake-utils.lib.eachSystem [ "x86_64-linux" ] (system:
       let
 
@@ -35,7 +39,7 @@
         # deploy like this:
         #  nix run ".#deploy.sterni"
         apps.deploy = pkgs.callPackage ./krops.nix {
-          inherit writeCommand;
+          inherit writeCommand secrets;
           lib = krops.lib;
         };
 

krops.nix

@@ -1,4 +1,4 @@
-{ writeCommand, lib, ... }:
+{ writeCommand, lib, secrets }:
 let
 
   # command that ensures we use flake.nix during switch
@@ -6,41 +6,40 @@ let
     echo 'nixos-rebuild build --flake ${targetPath} -L --keep-going'
     nix-shell \
      -E "with import <nixpkgs> {}; mkShell { buildInputs = [ git (nixos { nix.package = nixFlakes; }).nixos-rebuild ]; }" \
-     --run 'nixos-rebuild build --flake ${targetPath} --keep-going --impure'
-    '';
+     --run 'nixos-rebuild build --flake ${targetPath} -L --keep-going'
+  '';
 
-  secrets = name: {
-    secrets.pass = {
-      dir = toString ~/.password-store;
-      name = "krops/${name}/secrets";
-    };
-    common_secrets.pass = {
-      dir = toString ~/.password-store;
-      name = "krops/common_secrets";
-    };
-  };
+  #secrets = name: {
+  #  secrets.pass = {
+  #    dir = toString ~/.password-store;
+  #    name = "krops/${name}/secrets";
+  #  };
+  #  common_secrets.pass = {
+  #    dir = toString ~/.password-store;
+  #    name = "krops/common_secrets";
+  #  };
+  #};
 
-  desktopSecrets = {
-    desktop_secrets.pass = {
-      dir = toString ~/.password-store;
-      name = "krops/desktop_secrets";
-    };
-  };
+  #desktopSecrets = {
+  #  desktop_secrets.pass = {
+  #    dir = toString ~/.password-store;
+  #    name = "krops/desktop_secrets";
+  #  };
+  #};
 
   source = {
 
-    # only workhorse
-    # property.file = toString ./submodules/property;
-
+    secrets.file = "${secrets}/secrets";
     assets.file = toString ./assets;
     configs.file = toString ./configs;
     library.file = toString ./library;
     modules.file = toString ./modules;
-    #mqtt.file = toString ./mqtt;
     pkgs.file = toString ./pkgs;
     system.file = toString ./system;
     "flake.nix".file = toString ./flake.nix;
+    "flake.lock".file = toString ./flake.lock;
     "configurations.nix".file = toString ./configurations.nix;
+    #mqtt.file = toString ./mqtt;
 
     #backup-module.file = toString ~/dev/backup;
     backup-module.git = {

nixos/flake.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+}

system/all/default.nix

@@ -1,10 +1,11 @@
 { lib, config, pkgs, ... }: {
+
   imports = [
 
-    #<backup-module>
-    #<krops-lib>
-    #<cluster-module>
-    #<modules>
+    ../../backup-module
+    ../../krops-lib
+    ../../cluster-module
+    ../../modules
 
     # needed
     #<home-manager/nixos>
@@ -35,7 +36,7 @@
 
   # provide overlays
   # -----------------
-  nixpkgs.overlays = [ (import <pkgs>) (import <nix-writers/pkgs>) ];
+  #nixpkgs.overlays = [ (import <pkgs>) (import <nix-writers/pkgs>) ];
 
   # allow un-free
   # -------------

system/all/tinc.nix

@@ -9,7 +9,7 @@ let
 
 in {
 
-  imports = [ <modules> ];
+  imports = [ ../../modules ];
 
   networking.firewall.trustedInterfaces = [ "tinc.private" ];
 

system/desktop/default.nix

@@ -1,7 +1,8 @@
 { config, pkgs, lib, ... }: {
 
   imports = [
-    <system/all>
+
+    ../all
 
     #./icecast.nix
     ./audio.nix