replace sops secrets with clan facts

flake.lock

@@ -129,17 +129,16 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1717008015,
-        "narHash": "sha256-dYP3/cqttXSBF6y6qAJqoUgzakpxRUrV0Ka9ktUh+n4=",
-        "ref": "refs/heads/main",
-        "rev": "f1c02bbd4653917d6f7af03a77f45380f5a39b6d",
-        "revCount": 2928,
+        "dirtyRev": "0993fe45f63e5d66dbbe9f72c7fd68c6ab6e7ea8-dirty",
+        "dirtyShortRev": "0993fe45-dirty",
+        "lastModified": 1717340201,
+        "narHash": "sha256-7Ic5EvSIhqwhC0kZuQXHZut1joQFXx8IpyH1JvEA0zo=",
         "type": "git",
-        "url": "https://git.clan.lol/clan/clan-core"
+        "url": "file:///home/palo/dev/clan-core"
       },
       "original": {
         "type": "git",
-        "url": "https://git.clan.lol/clan/clan-core"
+        "url": "file:///home/palo/dev/clan-core"
       }
     },
     "clan-fact-generators": {
@@ -151,11 +150,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1717333086,
-        "narHash": "sha256-tCxNISnHTsW8ie9Q7ZUmKpgvrZQ3yrM1OH2qiZz8h1Q=",
+        "lastModified": 1717355409,
+        "narHash": "sha256-vbLxKOgEAnYg/USlOubdWYSOCydmrm2dCI9Pqz5S+og=",
         "owner": "mrvandalo",
         "repo": "clan-fact-generators",
-        "rev": "9ebc512d865d157050b81c4d15e41403197dc447",
+        "rev": "730c5d8e6c90917692f01739ca7e2f116deb02a3",
         "type": "github"
       },
       "original": {

flake.nix

@@ -16,7 +16,7 @@
 
     clan-core = {
       url = "git+https://git.clan.lol/clan/clan-core";
-      #url = "git+file:///home/palo/dev/nixos/clan-core";
+      #url = "git+file:///home/palo/dev/clan-core";
       inputs.nixpkgs.follows = "nixpkgs"; # Needed if your configuration uses nixpkgs unstable.
       inputs.flake-parts.follows = "flake-parts";
     };
@@ -199,7 +199,7 @@
               ];
               documentation.nixos.enable = true;
               clan.static-hosts.topLevelDomain = "bear";
-              clan.static-hosts.excludeHosts = lib.mkForce [ ];
+              #clan.static-hosts.excludeHosts = lib.mkForce [ ];
               environment.systemPackages = [
                 clan-core.packages.${pkgs.system}.clan-cli
               ];
@@ -219,7 +219,7 @@
             # master key
             ./nixos/assets/ssh/palo_rsa.pub
             # backup key
-            "${config.clanCore.clanDir}/machines/chungus/facts/syncoid.ssh.id_ed25519.pub"
+            "${config.clanCore.clanDir}/machines/chungus/facts/ssh.syncoid.id_ed25519.pub"
           ];
         })
         # configure nix

nixos/components/yubikey.nix

@@ -36,25 +36,5 @@ with lib;
 
     ];
 
-
-    ## managed by home-manager now
-    #environment.shellInit = ''
-    #  export GPG_TTY="$(tty)"
-    #  gpg-connect-agent /bye
-    #  export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
-    #'';
-    #programs = {
-    #  ssh.startAgent = false;
-    #  gnupg.agent = {
-    #    enable = true;
-    #    enableSSHSupport = true;
-    #  };
-    #};
-
-    ## managed by home-manager now
-    #security.pam.u2f.enable = true;
-    #security.pam.u2f.authFile = toString config.sops.secrets.yubikey_u2fAuthFile.path;
-    #sops.secrets.yubikey_u2fAuthFile = { };
-
   };
 }

nixos/machines/bobi/syncthing.nix

@@ -1,16 +1,11 @@
 { config, pkgs, lib, ... }: {
 
-  #sops.secrets.syncthing_cert = { };
-  #sops.secrets.syncthing_key = { };
-
   services.syncthing = {
     enable = true;
     openDefaultPorts = false;
     user = "palo";
     dataDir = "/home/palo/.syncthing";
     configDir = "/home/palo/.syncthing";
-    #cert = toString config.sops.secrets.syncthing_cert.path;
-    #key = toString config.sops.secrets.syncthing_key.path;
     overrideFolders = true;
     folders = {
 

nixos/machines/cherry/tinc_retiolum.nix

@@ -1,13 +1,28 @@
-{ config, ... }:
+{ config, factsGenerator, ... }:
 {
-  sops.secrets.tinc_retiolum_ed25519_key = { };
-  sops.secrets.tinc_retiolum_rsa_key = { };
+
+  clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
 
   networking.retiolum.port = 720;
   networking.retiolum.nodename = "sol";
 
   services.tinc.networks.retiolum = {
-    ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
-    rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path;
+    ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path;
+    rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path;
   };
+
+  #fileSystems."/retiolum/sicily" = {
+  #  device = "//sicily.r/tonne";
+  #  fsType = "cifs";
+  #  options = [
+  #    "guest"
+  #    "nofail"
+  #    "noauto"
+  #    "ro"
+  #    "rsize=16777216"
+  #    "cache=loose"
+  #    "x-systemd.after=network.target"
+  #  ];
+  #};
+
 }

nixos/machines/cherry/wireguard.nix

@@ -1,11 +1,7 @@
-{ config, ... }:
+{ config, factsGenerator, ... }:
 {
 
-  # todo generator here
-  clanCore.facts.services.wireguard = {
-    secret."wireguard.private" = { };
-    generator.script = "";
-  };
+  clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
 
   # Enable WireGuard
   networking.wg-quick.interfaces = {
@@ -14,7 +10,7 @@
     wg0 = {
       address = [ "10.100.0.7/32" ];
       listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
-      privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.private".path;
+      privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
 
       mtu = 1280;
 

nixos/machines/chungus/network-tinc-retiolum.nix

@@ -1,13 +1,12 @@
-{ config, ... }:
+{ config, factsGenerator, ... }:
 {
-  sops.secrets.tinc_retiolum_ed25519_key = { };
-  sops.secrets.tinc_retiolum_rsa_key = { };
+  clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
 
   networking.retiolum.port = 720;
   networking.retiolum.nodename = "centauri";
 
   services.tinc.networks.retiolum = {
-    ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
-    rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path;
+    ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path;
+    rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path;
   };
 }

nixos/machines/chungus/sync-rbackup.nix

@@ -1,32 +1,32 @@
-{ config, ... }:
+{ config, factsGenerator, ... }:
 {
-  sops.secrets.rsync_private_key = { };
+  clanCore.facts.services.rbackup = factsGenerator.ssh { name = "rbackup"; };
 
   # todo : replace all of them with syncoid
   rbackup.plans = {
     git = {
-      sshKeyPath = config.sops.secrets.rsync_private_key.path;
+      sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
       src = "root@orbi:/var/lib/forgejo/";
       dst = "/mirror/git";
     };
     taskwarrior = {
-      sshKeyPath = config.sops.secrets.rsync_private_key.path;
+      sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
       src = "root@orbi:/var/lib/taskserver/";
       dst = "/mirror/taskwarrior";
     };
     vaultwarden = {
-      sshKeyPath = config.sops.secrets.rsync_private_key.path;
+      sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
       src = "root@orbi:/var/lib/bitwarden_rs/";
       dst = "/mirror/vaultwarden";
     };
     radarr = {
-      sshKeyPath = config.sops.secrets.rsync_private_key.path;
+      sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
       src = "root@orbi:/media/arr/radarr";
       dst = "/media/arr/radarr";
       delete = false;
     };
     sonarr = {
-      sshKeyPath = config.sops.secrets.rsync_private_key.path;
+      sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
       src = "root@orbi:/media/arr/sonarr";
       dst = "/media/arr/sonarr";
       delete = false;

nixos/machines/chungus/sync-syncoid.nix

@@ -1,15 +1,7 @@
-{ pkgs, config, ... }:
+{ pkgs, config, factsGenerator, ... }:
 {
 
-  clanCore.facts.services.syncoid = {
-    secret."syncoid.ssh.id_ed25519" = { };
-    public."syncoid.ssh.id_ed25519.pub" = { };
-    generator.path = with pkgs; [ coreutils openssh ];
-    generator.script = ''
-      ssh-keygen -t ed25519 -N "" -f $secrets/syncoid.ssh.id_ed25519
-      mv $secrets/syncoid.ssh.id_ed25519.pub $facts/syncoid.ssh.id_ed25519.pub
-    '';
-  };
+  clanCore.facts.services.syncoid = factsGenerator.ssh { name = "syncoid"; };
 
   services.syncoid = {
     enable = true;
@@ -30,17 +22,17 @@
 
     # remote
     commands.matrix-terranix = {
-      sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path;
+      sshKey = config.clanCore.facts.services.syncoid.secret."ssh.syncoid.id_ed25519".path;
       source = "root@orbi:zroot/matrix-terranix";
       target = "zraid/mirror/matrix-terranix"; # should not be created up front!
     };
     commands.nextcloud = {
-      sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path;
+      sshKey = config.clanCore.facts.services.syncoid.secret."ssh.syncoid.id_ed25519".path;
       source = "root@orbi:zroot/nextcloud";
       target = "zraid/mirror/nextcloud"; # should not be created up front!
     };
     commands.photoprism = {
-      sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path;
+      sshKey = config.clanCore.facts.services.syncoid.secret."ssh.syncoid.id_ed25519".path;
       source = "root@orbi:zmedia/photoprism";
       target = "zraid/mirror/photoprism"; # should not be created up front!
     };

nixos/machines/cream/tinc_retiolum.nix

@@ -1,27 +1,27 @@
-{ config, ... }:
+{ config, factsGenerator, ... }:
 {
-  sops.secrets.tinc_retiolum_ed25519_key = { };
-  sops.secrets.tinc_retiolum_rsa_key = { };
+
+  clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
 
   networking.retiolum.port = 720;
   networking.retiolum.nodename = "sol";
 
   services.tinc.networks.retiolum = {
-    ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
-    rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path;
+    ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path;
+    rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path;
   };
 
-  fileSystems."/retiolum/sicily" = {
-    device = "//sicily.r/tonne";
-    fsType = "cifs";
-    options = [
-      "guest"
-      "nofail"
-      "noauto"
-      "ro"
-      "rsize=16777216"
-      "cache=loose"
-      "x-systemd.after=network.target"
-    ];
-  };
+  #fileSystems."/retiolum/sicily" = {
+  #  device = "//sicily.r/tonne";
+  #  fsType = "cifs";
+  #  options = [
+  #    "guest"
+  #    "nofail"
+  #    "noauto"
+  #    "ro"
+  #    "rsize=16777216"
+  #    "cache=loose"
+  #    "x-systemd.after=network.target"
+  #  ];
+  #};
 }

nixos/machines/mobi/syncthing.nix

@@ -1,16 +1,11 @@
 { config, pkgs, lib, ... }: {
 
-  #sops.secrets.syncthing_cert = { };
-  #sops.secrets.syncthing_key = { };
-
   services.syncthing = {
     enable = true;
     openDefaultPorts = false;
     user = "palo";
     dataDir = "/home/palo/.syncthing";
     configDir = "/home/palo/.syncthing";
-    #cert = toString config.sops.secrets.syncthing_cert.path;
-    #key = toString config.sops.secrets.syncthing_key.path;
     overrideFolders = true;
     folders = {
 

nixos/machines/sternchen/configuration.nix

@@ -21,7 +21,7 @@
   components.gui.enable = true;
   components.gui.kmonad.enable = false;
   components.gui.style.enable = false; # installes nerd-fonts which seem not to work.
-  components.gui.noti.enable = false;
+  #components.gui.noti.enable = false;
 
   components.terminal.enable = true;
   components.network.enable = true;