rename secrets

machines/109-199-104-83/configuration.nix

@@ -4,10 +4,6 @@
   machine,
   ...
 }: {
-  imports = [
-    ./impermanence.nix
-    (modulesPath + "/profiles/qemu-guest.nix")
-  ];
   # roundcube config
   services.roundcube = {
     enable = true;
@@ -29,7 +25,7 @@
     x509.useACMEHost = config.mailserver.fqdn;
     loginAccounts = {
       "test@${config.networking.domain}" = {
-        hashedPasswordFile = builtins.toString config.age.secrets.secret3.path;
+        hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path;
       };
     };
   };
@@ -50,12 +46,8 @@
   # system config
   system.stateVersion = "25.11";
   nix.settings.experimental-features = ["flakes" "nix-command"];
+  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
   fileSystems."/" = {
-    device = "none";
-    fsType = "tmpfs";
-    options = ["defaults" "size=60%" "mode=755"];
-  };
-  fileSystems."/nix" = {
     device = "/dev/sda1";
     fsType = "ext4";
   };

machines/109-199-104-83/impermanence.nix

@@ -1,30 +0,0 @@
-{
-  environment.persistence."/nix/persist" = {
-    enable = true;
-    hideMounts = true;
-    directories = [
-      # logs
-      "/var/log"
-      "/var/lib/systemd/coredump"
-
-      # users
-      "/var/lib/nixos"
-
-      # private ssh keys
-      "/etc/ssh"
-
-      # mailserver
-      "/var/vmail"
-      "/var/dkim"
-      "/var/lib/dovecot"
-      "/var/lib/postfix"
-      "/var/lib/postgresql"
-      "/var/lib/redis-rspamd"
-      "/var/lib/roundcube"
-      "/var/lib/secrets"
-    ];
-    files = [
-      "/etc/machine-id"
-    ];
-  };
-}

machines/lenovo/configuration.nix

@@ -9,10 +9,6 @@
     ./impermanence.nix
     (modulesPath + "/installer/scan/not-detected.nix")
   ];
-  age.secrets = {
-    secret0.file = ../../secrets/secret0.age;
-    secret1.file = ../../secrets/secret1.age;
-  };
   boot.loader = {
     efi.canTouchEfiVariables = true;
     systemd-boot.enable = true;

pub-keys.nix

@@ -1,9 +1,8 @@
 {
   age.secrets = {
-    secret0.file = ./secrets/secret0.age;
+    andromeda-pw.file = ./secrets/andromeda-pw.age;
-    secret1.file = ./secrets/secret1.age;
+    mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age;
-    secret2.file = ./secrets/secret2.age;
+    mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age;
-    secret3.file = ./secrets/secret3.age;
   };
   pub-keys = {
     ssh = {

secrets/secrets.nix

@@ -4,8 +4,7 @@ let
   lenovo = pub-keys.ssh.lenovo;
   _109-199-104-83 = pub-keys.ssh._109-199-104-83;
 in {
-  "secret0.age".publicKeys = [andromeda lenovo];
+  "andromeda-pw.age".publicKeys = [andromeda lenovo];
-  "secret1.age".publicKeys = [andromeda lenovo];
+  "mtgmonkey-pw.age".publicKeys = [andromeda lenovo];
-  "secret2.age".publicKeys = [andromeda lenovo _109-199-104-83];
+  "mailserver-acc-test-pw.age".publicKeys = [andromeda lenovo _109-199-104-83];
-  "secret3.age".publicKeys = [andromeda lenovo _109-199-104-83];
 }

users.nix

@@ -13,7 +13,7 @@ in {
       "andromeda" = {
         isNormalUser = true;
         description = "andromeda";
-        hashedPasswordFile = builtins.toString config.age.secrets.secret0.path;
+        hashedPasswordFile = builtins.toString config.age.secrets.andromeda-pw.path;
         extraGroups = [
           "networkmanager"
           "wheel"
@@ -22,7 +22,7 @@ in {
       "mtgmonkey" = {
         isNormalUser = true;
         description = "mtgmonkey";
-        hashedPasswordFile = builtins.toString config.age.secrets.secret1.path;
+        hashedPasswordFile = builtins.toString config.age.secrets.mtgmonkey-pw.path;
         extraGroups = [
           (lib.mkIf
             (machine == machines.lenovo)