Move sops secrets in the appropriate module

config/services/acme.nix

@@ -19,4 +19,5 @@
     };
   };
   services.nginx.group = "acme";
+  sops.secrets."security/acme/dns" = { };
 }

config/services/chir-rs.nix

@@ -24,4 +24,5 @@
     name = "homepage";
     ensurePermissions = { "DATABASE homepage" = "ALL PRIVILEGES"; };
   }];
+  sops.secrets."services/chir.rs" = { };
 }

config/services/gitea.nix

@@ -77,4 +77,5 @@
     bind = "127.0.0.1";
     databases = 3;
   };
+  sops.secrets."services/gitea.nix" = { };
 }

config/services/minio.nix

@@ -35,4 +35,5 @@ in
       proxyWebsockets = true;
     };
   };
+  sops.secrets."security/minio/credentials_file" = { };
 }

config/services/old-homepage.nix

@@ -38,4 +38,5 @@ in
       proxyPass = "http://127.0.0.1:9000/darkkirb.de/";
     };
   };
+  sops.secrets."services/old-homepage" = { };
 }

config/services/prometheus.nix

@@ -50,4 +50,7 @@
       }
     ];
   };
+  sops.secrets."services/minio_scrape" = {
+    owner = "prometheus";
+  };
 }

config/services/restic.nix

@@ -7,4 +7,5 @@
     ];
     repository = "sftp:darkkirb@backup.int.chir.rs:/backup";
   };
+  sops.secrets."security/restic/password" = { };
 }

config/sops.nix

@@ -2,14 +2,4 @@
 {
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   sops.defaultSopsFile = ../secrets + "/${config.networking.hostName}/secrets.yaml";
-  sops.secrets."network/wireguard/privkey" = { };
-  sops.secrets."security/acme/dns" = { };
-  sops.secrets."security/restic/password" = { };
-  sops.secrets."security/minio/credentials_file" = { };
-  sops.secrets."services/gitea.nix" = { };
-  sops.secrets."services/minio_scrape" = {
-    owner = "prometheus";
-  };
-  sops.secrets."services/old-homepage" = { };
-  sops.secrets."services/chir.rs" = { };
 }

config/wireguard.nix

@@ -27,4 +27,5 @@
     };
   };
   networking.firewall.allowedUDPPorts = [ 51820 ];
+  sops.secrets."network/wireguard/privkey" = { };
 }