flake: remove sops-nix (no longer used)

All secrets are now managed by OpenBao (Vault). Remove the legacy sops-nix infrastructure that is no longer in use. Removed: - sops-nix flake input - system/sops.nix module - .sops.yaml configuration file - Age key generation from template prepare-host scripts Updated: - flake.nix - removed sops-nix references from all hosts - flake.lock - removed sops-nix input - scripts/create-host/ - removed sops references - CLAUDE.md - removed SOPS documentation Note: secrets/ directory should be manually removed by the user. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-07 18:46:24 +01:00
parent bdc6057689
commit aedccbd9a0
10 changed files with 20 additions and 130 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -92,9 +92,6 @@ Secrets are managed by OpenBao (Vault) using AppRole authentication. Most hosts
 `vault.secrets` option defined in `system/vault-secrets.nix` to fetch secrets at boot.
 Terraform manages the secrets and AppRole policies in `terraform/vault/`.

-Legacy sops-nix is still present but no longer actively used. Do not edit any
-`.sops.yaml` or any file within `secrets/`. Ask the user to modify if necessary.
-
 ### Git Workflow

 **Important:** Never commit directly to `master` unless the user explicitly asks for it. Always create a feature branch for changes.
@@ -301,7 +298,7 @@ The `current_rev` label contains the git commit hash of the deployed flake confi
  - `default.nix` - Entry point, imports configuration.nix and services
  - `configuration.nix` - Host-specific settings (networking, hardware, users)
 - `/system/` - Shared system-level configurations applied to ALL hosts
-  - Core modules: nix.nix, sshd.nix, sops.nix (legacy), vault-secrets.nix, acme.nix, autoupgrade.nix
+  - Core modules: nix.nix, sshd.nix, vault-secrets.nix, acme.nix, autoupgrade.nix
  - Additional modules: motd.nix (dynamic MOTD), packages.nix (base packages), root-user.nix (root config), homelab-deploy.nix (NATS listener)
  - Monitoring: node-exporter and promtail on every host
 - `/modules/` - Custom NixOS modules
@@ -316,13 +313,11 @@ The `current_rev` label contains the git commit hash of the deployed flake confi
  - `vault/` - OpenBao (Vault) secrets server
  - `actions-runner/` - GitHub Actions runner
  - `http-proxy/`, `postgres/`, `nats/`, `jellyfin/`, etc.
- `/secrets/` - SOPS-encrypted secrets with age encryption (legacy, no longer used)
 - `/common/` - Shared configurations (e.g., VM guest agent)
 - `/docs/` - Documentation and plans
  - `plans/` - Future plans and proposals
  - `plans/completed/` - Completed plans (moved here when done)
 - `/playbooks/` - Ansible playbooks for fleet management
- `/.sops.yaml` - SOPS configuration with age keys (legacy, no longer used)

 ### Configuration Inheritance

@@ -369,7 +364,6 @@ Template hosts:

 - `nixpkgs` - NixOS 25.11 stable (primary)
 - `nixpkgs-unstable` - Unstable channel (available via overlay as `pkgs.unstable.<package>`)
- `sops-nix` - Secrets management (legacy, no longer actively used)
 - `nixos-exporter` - NixOS module for exposing flake revision metrics (used to verify deployments)
 - `homelab-deploy` - NATS-based remote deployment tool for test-tier hosts
 - Custom packages from git.t-juice.club:
@@ -397,10 +391,6 @@ Most hosts use OpenBao (Vault) for secrets:
 - Fallback to cached secrets in `/var/lib/vault/cache/` when Vault is unreachable
 - Provision AppRole credentials: `nix develop -c ansible-playbook playbooks/provision-approle.yml -e hostname=<host>`

-Legacy SOPS (no longer actively used):
- SOPS with age encryption, keys in `.sops.yaml`
- Files in `/secrets/` are legacy and can be removed
-
 ### Auto-Upgrade System

 All hosts pull updates daily from: