Use pass for secrets management

Fixes #4

lib/krops.nix

@@ -17,6 +17,10 @@ let
       };
       config.file = toString ../.;
       nixos-config.symlink = "config/machines/${hostname}/configuration.nix";
+      secrets.pass = {
+        dir = toString ~/.password-store;
+        name = "nixos/machines/${hostname}";
+      };
     } // extraSources)
   ];
 in

machines/nunotaba/krops.nix

@@ -1,3 +1,3 @@
-import ../../lib/krops.nix {
+import ../../lib/krops.nix rec {
   hostname = "nunotaba";
 }

machines/sayuri/hardware-configuration.nix

@@ -40,7 +40,7 @@
         label = "data";
         enable = true;
         blkDev = "/dev/disk/by-uuid/576088d4-9aae-4159-a028-feadb2621a1a";
-        keyFile = "/mnt-root" + toString ./secrets/data_luks_key;
+        keyFile = "/mnt-root" + toString <secrets/luks-data>;
       };
     };
   };

modules/restic.nix

@@ -69,8 +69,8 @@ in
 
   config = lib.mkIf cfg.enable {
     services.restic.backups."${name}" = {
-      passwordFile = toString (../secrets/restic_password);
-      s3CredentialsFile = toString ../secrets/s3_credentials;
+      passwordFile = toString <secrets/restic-password>;
+      s3CredentialsFile = toString <secrets/restic-s3>;
       repository = "s3:https://s3.eu-central-1.wasabisys.com/sbruder-restic";
       paths = lib.mkDefault (
         [ ]

modules/wireguard/home.nix

@@ -14,7 +14,7 @@ in
       privateKeyFile = lib.mkOption {
         type = lib.types.str;
         description = "Private key file";
-        default = toString (../../machines/. + "/${config.networking.hostName}" + /secrets/wg-home_private_key);
+        default = toString <secrets/wg-home-private-key>;
       };
     };
   };