From a990c332990cfd16138d9b2f305d176ad59f99f0 Mon Sep 17 00:00:00 2001
From: Fabian Hauser <fabian@fh2.ch>
Date: Tue, 25 Mar 2025 16:20:33 +0200
Subject: [PATCH] Move shared secrets definition to private submodule

---
 README.md                        |  2 +-
 flake.lock                       |  8 ++++----
 nixos-modules/system/default.nix |  1 -
 nixos-modules/system/secrets.nix | 11 -----------
 private                          |  2 +-
 5 files changed, 6 insertions(+), 18 deletions(-)
 delete mode 100644 nixos-modules/system/secrets.nix

diff --git a/README.md b/README.md
index bd6f395..5c75a76 100644
--- a/README.md
+++ b/README.md
@@ -41,7 +41,7 @@ git clone --recurse-submodules https://git.qo.is/qo.is/infrastructure.git
 ```
 
 Secrets are stored in `private/passwords.sops.yaml` (sysadmin passwords),
-`private/nixos-configurations/secrets.sops.yaml` (shared secrets for all hosts) and
+`private/nixos-modules/shared-secrets/default.sops.yaml` (shared secrets for all hosts) and
 `private/nixos-configurations/<hostname>/secrets.sops.yaml` (host specific secrets).
 
 To modify secrets:
diff --git a/flake.lock b/flake.lock
index 69bcc66..042a4e0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -170,11 +170,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742910348,
-        "narHash": "sha256-ChpGvxY5QN7otvTx4JknqIfDnnmWYHfHSVYvYG+ZJg8=",
+        "lastModified": 1742912471,
+        "narHash": "sha256-9d/7MRpDJMEguLyOnm6iuMObDc+uq09KdHJO3z8573U=",
         "ref": "refs/heads/main",
-        "rev": "f789cff29517e0240525f5a9f2007dbec3ae48e7",
-        "revCount": 13,
+        "rev": "95d25445a04f04e74266fb17412b78fc983023bd",
+        "revCount": 14,
         "type": "git",
         "url": "file:./private"
       },
diff --git a/nixos-modules/system/default.nix b/nixos-modules/system/default.nix
index 81670da..a0a0cff 100644
--- a/nixos-modules/system/default.nix
+++ b/nixos-modules/system/default.nix
@@ -11,7 +11,6 @@
     ./overlays.nix
     ./physical.nix
     ./security.nix
-    ./secrets.nix
     ./virtual-machine.nix
   ];
 
diff --git a/nixos-modules/system/secrets.nix b/nixos-modules/system/secrets.nix
deleted file mode 100644
index 0757d74..0000000
--- a/nixos-modules/system/secrets.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ inputs, ... }:
-{
-  sops.secrets =
-    let
-      allHostsSecretsFile = "${inputs.private}/nixos-configurations/secrets.sops.yaml";
-    in
-    {
-      "msmtp/password".sopsFile = allHostsSecretsFile;
-      "wgautomesh/gossip-secret".sopsFile = allHostsSecretsFile;
-    };
-}
diff --git a/private b/private
index f789cff..95d2544 160000
--- a/private
+++ b/private
@@ -1 +1 @@
-Subproject commit f789cff29517e0240525f5a9f2007dbec3ae48e7
+Subproject commit 95d25445a04f04e74266fb17412b78fc983023bd