Move shared secrets definition to private submodule

README.md

@@ -41,7 +41,7 @@ git clone --recurse-submodules https://git.qo.is/qo.is/infrastructure.git
 ```
 
 Secrets are stored in `private/passwords.sops.yaml` (sysadmin passwords),
-`private/nixos-configurations/secrets.sops.yaml` (shared secrets for all hosts) and
+`private/nixos-modules/shared-secrets/default.sops.yaml` (shared secrets for all hosts) and
 `private/nixos-configurations/<hostname>/secrets.sops.yaml` (host specific secrets).
 
 To modify secrets:

flake.lock

@@ -170,11 +170,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742910348,
-        "narHash": "sha256-ChpGvxY5QN7otvTx4JknqIfDnnmWYHfHSVYvYG+ZJg8=",
+        "lastModified": 1742912471,
+        "narHash": "sha256-9d/7MRpDJMEguLyOnm6iuMObDc+uq09KdHJO3z8573U=",
         "ref": "refs/heads/main",
-        "rev": "f789cff29517e0240525f5a9f2007dbec3ae48e7",
-        "revCount": 13,
+        "rev": "95d25445a04f04e74266fb17412b78fc983023bd",
+        "revCount": 14,
         "type": "git",
         "url": "file:./private"
       },

nixos-modules/system/default.nix

@@ -11,7 +11,6 @@
     ./overlays.nix
     ./physical.nix
     ./security.nix
-    ./secrets.nix
     ./virtual-machine.nix
   ];
 

nixos-modules/system/secrets.nix

@@ -1,11 +0,0 @@
-{ inputs, ... }:
-{
-  sops.secrets =
-    let
-      allHostsSecretsFile = "${inputs.private}/nixos-configurations/secrets.sops.yaml";
-    in
-    {
-      "msmtp/password".sopsFile = allHostsSecretsFile;
-      "wgautomesh/gossip-secret".sopsFile = allHostsSecretsFile;
-    };
-}

private

@@ -1 +1 @@
-Subproject commit f789cff29517e0240525f5a9f2007dbec3ae48e7
+Subproject commit 95d25445a04f04e74266fb17412b78fc983023bd