From aedccbd9a055d2e3394c64cd859a2107fc99b2e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Sat, 7 Feb 2026 18:46:24 +0100 Subject: [PATCH] flake: remove sops-nix (no longer used) All secrets are now managed by OpenBao (Vault). Remove the legacy sops-nix infrastructure that is no longer in use. Removed: - sops-nix flake input - system/sops.nix module - .sops.yaml configuration file - Age key generation from template prepare-host scripts Updated: - flake.nix - removed sops-nix references from all hosts - flake.lock - removed sops-nix input - scripts/create-host/ - removed sops references - CLAUDE.md - removed SOPS documentation Note: secrets/ directory should be manually removed by the user. Co-Authored-By: Claude Opus 4.5 --- .sops.yaml | 52 ----------------------------- CLAUDE.md | 12 +------ flake.lock | 23 +------------ flake.nix | 36 +++++++++----------- hosts/template/scripts.nix | 6 ---- hosts/template2/scripts.nix | 6 ---- scripts/create-host/create_host.py | 5 ++- scripts/create-host/manipulators.py | 2 +- system/default.nix | 1 - system/sops.nix | 7 ---- 10 files changed, 20 insertions(+), 130 deletions(-) delete mode 100644 .sops.yaml delete mode 100644 system/sops.nix diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index 6530cfe..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,52 +0,0 @@ -keys: - - &admin_torjus age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u - - &server_ns1 age1hz2lz4k050ru3shrk5j3zk3f8azxmrp54pktw5a7nzjml4saudesx6jsl0 - - &server_ns2 age1w2q4gm2lrcgdzscq8du3ssyvk6qtzm4fcszc92z9ftclq23yyydqdga5um - - &server_ha1 age1d2w5zece9647qwyq4vas9qyqegg96xwmg6c86440a6eg4uj6dd2qrq0w3l - - &server_http-proxy age1gq8434ku0xekqmvnseeunv83e779cg03c06gwrusnymdsr3rpufqx6vr3m - - &server_ca age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk - - &server_monitoring01 age1vpns76ykll8jgdlu3h05cur4ew2t3k7u03kxdg8y6ypfhsfhq9fqyurjey - - &server_jelly01 age1hchvlf3apn8g8jq2743pw53sd6v6ay6xu6lqk0qufrjeccan9vzsc7hdfq - - &server_nix-cache01 age1w029fksjv0edrff9p7s03tgk3axecdkppqymfpwfn2nu2gsqqefqc37sxq - - &server_pgdb1 age1ha34qeksr4jeaecevqvv2afqem67eja2mvawlmrqsudch0e7fe7qtpsekv - - &server_nats1 age1cxt8kwqzx35yuldazcc49q88qvgy9ajkz30xu0h37uw3ts97jagqgmn2ga -creation_rules: - - path_regex: secrets/[^/]+\.(yaml|json|env|ini) - key_groups: - - age: - - *admin_torjus - - *server_ns1 - - *server_ns2 - - *server_ha1 - - *server_http-proxy - - *server_ca - - *server_monitoring01 - - *server_jelly01 - - *server_nix-cache01 - - *server_pgdb1 - - *server_nats1 - - path_regex: secrets/ca/[^/]+\.(yaml|json|env|ini|) - key_groups: - - age: - - *admin_torjus - - *server_ca - - path_regex: secrets/monitoring01/[^/]+\.(yaml|json|env|ini) - key_groups: - - age: - - *admin_torjus - - *server_monitoring01 - - path_regex: secrets/ca/keys/.+ - key_groups: - - age: - - *admin_torjus - - *server_ca - - path_regex: secrets/nix-cache01/.+ - key_groups: - - age: - - *admin_torjus - - *server_nix-cache01 - - path_regex: secrets/http-proxy/.+ - key_groups: - - age: - - *admin_torjus - - *server_http-proxy diff --git a/CLAUDE.md b/CLAUDE.md index 546507f..5a9bf69 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -92,9 +92,6 @@ Secrets are managed by OpenBao (Vault) using AppRole authentication. Most hosts `vault.secrets` option defined in `system/vault-secrets.nix` to fetch secrets at boot. Terraform manages the secrets and AppRole policies in `terraform/vault/`. -Legacy sops-nix is still present but no longer actively used. Do not edit any -`.sops.yaml` or any file within `secrets/`. Ask the user to modify if necessary. - ### Git Workflow **Important:** Never commit directly to `master` unless the user explicitly asks for it. Always create a feature branch for changes. @@ -301,7 +298,7 @@ The `current_rev` label contains the git commit hash of the deployed flake confi - `default.nix` - Entry point, imports configuration.nix and services - `configuration.nix` - Host-specific settings (networking, hardware, users) - `/system/` - Shared system-level configurations applied to ALL hosts - - Core modules: nix.nix, sshd.nix, sops.nix (legacy), vault-secrets.nix, acme.nix, autoupgrade.nix + - Core modules: nix.nix, sshd.nix, vault-secrets.nix, acme.nix, autoupgrade.nix - Additional modules: motd.nix (dynamic MOTD), packages.nix (base packages), root-user.nix (root config), homelab-deploy.nix (NATS listener) - Monitoring: node-exporter and promtail on every host - `/modules/` - Custom NixOS modules @@ -316,13 +313,11 @@ The `current_rev` label contains the git commit hash of the deployed flake confi - `vault/` - OpenBao (Vault) secrets server - `actions-runner/` - GitHub Actions runner - `http-proxy/`, `postgres/`, `nats/`, `jellyfin/`, etc. -- `/secrets/` - SOPS-encrypted secrets with age encryption (legacy, no longer used) - `/common/` - Shared configurations (e.g., VM guest agent) - `/docs/` - Documentation and plans - `plans/` - Future plans and proposals - `plans/completed/` - Completed plans (moved here when done) - `/playbooks/` - Ansible playbooks for fleet management -- `/.sops.yaml` - SOPS configuration with age keys (legacy, no longer used) ### Configuration Inheritance @@ -369,7 +364,6 @@ Template hosts: - `nixpkgs` - NixOS 25.11 stable (primary) - `nixpkgs-unstable` - Unstable channel (available via overlay as `pkgs.unstable.`) -- `sops-nix` - Secrets management (legacy, no longer actively used) - `nixos-exporter` - NixOS module for exposing flake revision metrics (used to verify deployments) - `homelab-deploy` - NATS-based remote deployment tool for test-tier hosts - Custom packages from git.t-juice.club: @@ -397,10 +391,6 @@ Most hosts use OpenBao (Vault) for secrets: - Fallback to cached secrets in `/var/lib/vault/cache/` when Vault is unreachable - Provision AppRole credentials: `nix develop -c ansible-playbook playbooks/provision-approle.yml -e hostname=` -Legacy SOPS (no longer actively used): -- SOPS with age encryption, keys in `.sops.yaml` -- Files in `/secrets/` are legacy and can be removed - ### Auto-Upgrade System All hosts pull updates daily from: diff --git a/flake.lock b/flake.lock index 63dbb4c..a46d98d 100644 --- a/flake.lock +++ b/flake.lock @@ -100,28 +100,7 @@ "homelab-deploy": "homelab-deploy", "nixos-exporter": "nixos-exporter", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "sops-nix": "sops-nix" - } - }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs-unstable" - ] - }, - "locked": { - "lastModified": 1770145881, - "narHash": "sha256-ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" + "nixpkgs-unstable": "nixpkgs-unstable" } } }, diff --git a/flake.nix b/flake.nix index 1ccd4f0..918d312 100644 --- a/flake.nix +++ b/flake.nix @@ -5,10 +5,6 @@ nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-25.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable"; - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; - }; alerttonotify = { url = "git+https://git.t-juice.club/torjus/alerttonotify?ref=master"; inputs.nixpkgs.follows = "nixpkgs-unstable"; @@ -28,7 +24,6 @@ self, nixpkgs, nixpkgs-unstable, - sops-nix, alerttonotify, nixos-exporter, homelab-deploy, @@ -55,7 +50,6 @@ system.configurationRevision = self.rev or self.dirtyRev or "dirty"; } ) - sops-nix.nixosModules.sops nixos-exporter.nixosModules.default homelab-deploy.nixosModules.default ./modules/homelab @@ -74,7 +68,7 @@ ns1 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/ns1 @@ -83,7 +77,7 @@ ns2 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/ns2 @@ -92,7 +86,7 @@ ha1 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/ha1 @@ -101,7 +95,7 @@ template1 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/template @@ -110,7 +104,7 @@ template2 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/template2 @@ -119,7 +113,7 @@ http-proxy = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/http-proxy @@ -128,7 +122,7 @@ monitoring01 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/monitoring01 @@ -137,7 +131,7 @@ jelly01 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/jelly01 @@ -146,7 +140,7 @@ nix-cache01 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/nix-cache01 @@ -155,7 +149,7 @@ pgdb1 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/pgdb1 @@ -164,7 +158,7 @@ nats1 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/nats1 @@ -173,7 +167,7 @@ vault01 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/vault01 @@ -182,7 +176,7 @@ testvm01 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/testvm01 @@ -191,7 +185,7 @@ testvm02 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/testvm02 @@ -200,7 +194,7 @@ testvm03 = nixpkgs.lib.nixosSystem { inherit system; specialArgs = { - inherit inputs self sops-nix; + inherit inputs self; }; modules = commonModules ++ [ ./hosts/testvm03 diff --git a/hosts/template/scripts.nix b/hosts/template/scripts.nix index f6209e6..a423008 100644 --- a/hosts/template/scripts.nix +++ b/hosts/template/scripts.nix @@ -2,7 +2,6 @@ let prepare-host-script = pkgs.writeShellApplication { name = "prepare-host.sh"; - runtimeInputs = [ pkgs.age ]; text = '' echo "Removing machine-id" rm -f /etc/machine-id || true @@ -22,11 +21,6 @@ let echo "Removing cache" rm -rf /var/cache/* || true - - echo "Generate age key" - rm -rf /var/lib/sops-nix || true - mkdir -p /var/lib/sops-nix - age-keygen -o /var/lib/sops-nix/key.txt ''; }; in diff --git a/hosts/template2/scripts.nix b/hosts/template2/scripts.nix index f6209e6..a423008 100644 --- a/hosts/template2/scripts.nix +++ b/hosts/template2/scripts.nix @@ -2,7 +2,6 @@ let prepare-host-script = pkgs.writeShellApplication { name = "prepare-host.sh"; - runtimeInputs = [ pkgs.age ]; text = '' echo "Removing machine-id" rm -f /etc/machine-id || true @@ -22,11 +21,6 @@ let echo "Removing cache" rm -rf /var/cache/* || true - - echo "Generate age key" - rm -rf /var/lib/sops-nix || true - mkdir -p /var/lib/sops-nix - age-keygen -o /var/lib/sops-nix/key.txt ''; }; in diff --git a/scripts/create-host/create_host.py b/scripts/create-host/create_host.py index 941fdda..8339a14 100644 --- a/scripts/create-host/create_host.py +++ b/scripts/create-host/create_host.py @@ -314,11 +314,10 @@ def handle_remove( for secret_path in host_secrets: console.print(f" [white]vault kv delete secret/{secret_path}[/white]") - # Warn about secrets directory + # Warn about legacy secrets directory if secrets_exist: - console.print(f"\n[yellow]⚠️ Warning: secrets/{hostname}/ directory exists and will NOT be deleted[/yellow]") + console.print(f"\n[yellow]⚠️ Warning: secrets/{hostname}/ directory exists (legacy SOPS)[/yellow]") console.print(f" Manually remove if no longer needed: [white]rm -rf secrets/{hostname}/[/white]") - console.print(f" Also update .sops.yaml to remove the host's age key") # Exit if dry run if dry_run: diff --git a/scripts/create-host/manipulators.py b/scripts/create-host/manipulators.py index 28f7671..58a0258 100644 --- a/scripts/create-host/manipulators.py +++ b/scripts/create-host/manipulators.py @@ -219,7 +219,7 @@ def update_flake_nix(config: HostConfig, repo_root: Path, force: bool = False) - new_entry = f""" {config.hostname} = nixpkgs.lib.nixosSystem {{ inherit system; specialArgs = {{ - inherit inputs self sops-nix; + inherit inputs self; }}; modules = commonModules ++ [ ./hosts/{config.hostname} diff --git a/system/default.nix b/system/default.nix index a4d9949..a04e2bb 100644 --- a/system/default.nix +++ b/system/default.nix @@ -10,7 +10,6 @@ ./nix.nix ./root-user.nix ./pki/root-ca.nix - ./sops.nix ./sshd.nix ./vault-secrets.nix ]; diff --git a/system/sops.nix b/system/sops.nix deleted file mode 100644 index 0918117..0000000 --- a/system/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: { - sops = { - defaultSopsFile = ../secrets/secrets.yaml; - age.keyFile = "/var/lib/sops-nix/key.txt"; - age.generateKey = true; - }; -}