From f8d145b495b793bd14654772a2b245c41ce1a9aa Mon Sep 17 00:00:00 2001
From: John Ogle <john@ogle.fyi>
Date: Sun, 13 Jul 2025 11:08:42 -0700
Subject: [PATCH] [secrets] Remove altogether

I'm standardizing on bitwarden and rbw for secrets. No need to build out
a separate secret management system. The complexity of this was just not
worth it for my effectively single-user workflows
---
 .goosehints               |  1 -
 .sops.yaml                | 11 ---------
 flake.lock                | 23 +------------------
 flake.nix                 |  6 -----
 roles/default.nix         |  1 -
 roles/secrets/default.nix |  8 -------
 secrets/secrets.yaml      | 48 ---------------------------------------
 7 files changed, 1 insertion(+), 97 deletions(-)
 delete mode 100644 .sops.yaml
 delete mode 100644 roles/secrets/default.nix
 delete mode 100644 secrets/secrets.yaml

diff --git a/.goosehints b/.goosehints
index efc2c01..1e28f8b 100644
--- a/.goosehints
+++ b/.goosehints
@@ -7,7 +7,6 @@ This repository hosts modular and reproducible NixOS configurations managed via
 
 Directory Structure:
 ----------------------
-• secrets/       - Confidential data (passwords, keys, etc.) required for system configuration.
 • packages/      - Custom Nix packages leveraged across various configurations.
 • roles/         - Role-based configurations (e.g., kodi, bluetooth) each with its own module (default.nix) for inclusion in machine setups.
 • machines/      - Machine-specific configurations (e.g., nix-book, z790prors, boxy, wixos) including configuration.nix and hardware-configuration.nix tailored for each hardware.
diff --git a/.sops.yaml b/.sops.yaml
deleted file mode 100644
index b18b7ea..0000000
--- a/.sops.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-keys:
-  - &admin_johno age1ls6a033d4p4u8h4rwazjwt8w4c4xg73wq0mdnm64jajxzcz4k9asvjnks3
-  - &host_z790prors age12l5u7sw59u5pkwp83qm8t3ff7uv0ld2c9k3zh5j4ame9k2szcynqu7ftqe
-  - &host_nixbook age1fa3zqavfmqk4ssa22yne9td90gyqv9q5a8y0s8jp3xak8q7p3yjqyn7rkg
-creation_rules:
-  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-      - age:
-          - *admin_johno
-          - *host_z790prors
-          - *host_nixbook
diff --git a/flake.lock b/flake.lock
index 7ab4059..5ffe348 100644
--- a/flake.lock
+++ b/flake.lock
@@ -137,28 +137,7 @@
         "home-manager": "home-manager",
         "nixos-wsl": "nixos-wsl",
         "nixpkgs": "nixpkgs_2",
-        "plasma-manager": "plasma-manager",
-        "sops-nix": "sops-nix"
-      }
-    },
-    "sops-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1751606940,
-        "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=",
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Mic92",
-        "repo": "sops-nix",
-        "type": "github"
+        "plasma-manager": "plasma-manager"
       }
     }
   },
diff --git a/flake.nix b/flake.nix
index 1578c4a..f4c6ed4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,11 +5,6 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     nixos-wsl.url = "github:nix-community/NixOS-WSL/main";
 
-    sops-nix = {
-      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -30,7 +25,6 @@
   outputs = { self, nixpkgs, nixos-wsl, ... } @ inputs: let
     baseModules = [
       ./roles
-      inputs.sops-nix.nixosModules.sops
       inputs.home-manager.nixosModules.home-manager
       {
         home-manager.useGlobalPkgs = true;
diff --git a/roles/default.nix b/roles/default.nix
index 1932e3a..1f876ed 100644
--- a/roles/default.nix
+++ b/roles/default.nix
@@ -10,7 +10,6 @@ with lib;
     ./kodi
     ./nfs-mounts
     ./printing
-    ./secrets
     ./spotifyd
     ./users
     ./virtualisation
diff --git a/roles/secrets/default.nix b/roles/secrets/default.nix
deleted file mode 100644
index c864234..0000000
--- a/roles/secrets/default.nix
+++ /dev/null
@@ -1,8 +0,0 @@
-{ config, lib, pkgs, inputs, ... }:
-
-{
-  sops.defaultSopsFile = ../../secrets/secrets.yaml;
-  sops.defaultSopsFormat = "yaml";
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" "/home/johno/.ssh/id_ed25519" ];
-  sops.secrets.example_key = {};
-}
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
deleted file mode 100644
index 4dcef72..0000000
--- a/secrets/secrets.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-hello: ENC[AES256_GCM,data:5ZpbPx3D8gQc1fOhViUqiCr0zLWYotB+vIBixqTbqP9XLS52y6tr5DXus0aV9mTgka5deqc=,iv:yPJaCqDD9WD56swfBjSm7A62ZTTIQDqyAKOgP1ese+U=,tag:bo8+7Ne2f9aEZSvpkt1fzA==,type:str]
-example_key: ENC[AES256_GCM,data:v15bEcb0H3vaj13blg==,iv:9P3IA7ChBamo41VE8G8tj46sZqeijsO1LcvwLtEPVPA=,tag:o/lAyAYYGNLP9EjQNa/K8Q==,type:str]
-example_array:
-    - ENC[AES256_GCM,data:3Vwa7dfNfKzRc/xpk6I=,iv:IevBgxwWdaBvZY1ywteWcfWwDIA8lK3FTWs67lLBKxw=,tag:Mx5lzUeNZ/3wJBWAl5XSBw==,type:str]
-    - ENC[AES256_GCM,data:epkT6WPGW5Oe/S+4HtU=,iv:N0yoDuieAaEi+NuCoCL4zrkhaDDdkttboI89m+UccjQ=,tag:OoERRByb0OM4un9oGLJQgA==,type:str]
-#ENC[AES256_GCM,data:YzMFXxn3sbbHpGB4jPRtRw==,iv:TN6ogQuH7c6xtDoWt0Ew9B2f7wuaipJynvscZmaJYoU=,tag:No0UwEktEyMNBg/46P+Zmg==,type:comment]
-example_number: ENC[AES256_GCM,data:jmLoVC+8YIlB2A==,iv:u9GztD/aE9UN5zWq3Am2nhYwmYt3sf8sy65MHbhVoD0=,tag:wKuf1mMr5XBJveJrz0uHPA==,type:float]
-example_booleans:
-    - ENC[AES256_GCM,data:ZacILA==,iv:xo+7aFFQXzbJzKDY0mYTeFLf10AlnHkywDRAMHeprEM=,tag:F/OnJdqjrZP02sTLWLmnbg==,type:bool]
-    - ENC[AES256_GCM,data:NaFrvrs=,iv:kKDmGs9u/w5qrZ/379Jlx8AotUVADvH+eHwHCqykmkE=,tag:nD9TsmkXUm4ABaT1ABWmcg==,type:bool]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1ls6a033d4p4u8h4rwazjwt8w4c4xg73wq0mdnm64jajxzcz4k9asvjnks3
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjak9vRVJtVmJoanhEZ0hQ
-            MFJwMEE4UDcrRkdPRmZ6R09FSDY1aTk3Y1dNClZJYXRLNU5senR3Qzh6VmZGMlhu
-            bnl6VjlaUEFISnBtSTVrcEd0ZjI5Q2MKLS0tIFl1b3A5ZWVqc1gvWVZnZis0ZHFk
-            bWhnNVB2TUJ4YzY4NHdSVXhPc3dReTgKWRYBbBE3+oGsRNw1CROhFY+btENbShfv
-            gw3IdW7OoZV6JpJBOcI82eOuOkIxrmgSGDGeyy10/a5MA/cB1umm+w==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age12l5u7sw59u5pkwp83qm8t3ff7uv0ld2c9k3zh5j4ame9k2szcynqu7ftqe
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGcmV3TDlNL2Zxb0h5QTYx
-            QkVmczA0MDc2ZnpNNU1YeFVzSXJwc3RWUmk4CjF4bHIrVU9VM3htTUxGZ2FUR256
-            UEovdVV2cmNIbkloS1VobTNFSDVyRG8KLS0tIEFhUk5kL3hCNGs4MGJBTmNJaVFm
-            b2ZBUGJ1K0lKTitKYTRUMWszQzhBU0UKBaM6t6JmWfiG+wPorGea1gqvV5RSIPyw
-            6yb2PcH2oZ0HrjJM5sjfu7XOWY3KneiZZikR1BpD5KvevfagWTSR/w==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1fa3zqavfmqk4ssa22yne9td90gyqv9q5a8y0s8jp3xak8q7p3yjqyn7rkg
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaMFJiNjVOb0lTcmJ3VnhH
-            WlRKZERRZFM3TFZBZGNSZC9GdHlHakMza21zClJ3SDdFUkVRc3oyVVU3WEtDQzBu
-            OEFqS3NwbHZFUlpCYlN6RW84N0F1amcKLS0tIHFZK21aTHdwZ2dWbVRrWEZDWFZj
-            aU1IQzdTMVhnbHhsNENwMG05dXhOU2MK8fEJea9sL5JLgltVlTI6mRDb+Tl83Iz7
-            4wPYvo68cn8vimXqSk45ldHRrNa3zhYai3CalQaGtDT3fkWGvSq0zQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-28T15:44:39Z"
-    mac: ENC[AES256_GCM,data:YUi+AbS6DQTmrSyOXsbkZWfWaMyKGR8fYm/MHcxmqChi8hng+UWHBZjsLBe6ef/FLH3rnP6bhfwK8KYnVS6fHvHahoqIq/BHydTsqrclnSgRAGl8Lh0yuhwISNRvP1AuW5pd50sdQaS0uGOtzOCharI/pZ9H+cmt2SB5WOCdeLs=,iv:2nBG6it3tNSLSia8hGzCcesuK9QwzB9EzfjWegjQ2kw=,tag:RGGPAPw/rQKhWA2OqLjTJw==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.0