10 files changed, 32 insertions, 36 deletions

diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index 093ae2030..4e42ce72e 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -20,14 +20,14 @@ let
     };
 
     dkim = mkOption {
-      type = types.listOf (types.submodule ({ config, ... }: {
+      type = types.listOf (types.submodule (dkim: {
         options = {
           domain = mkOption {
             type = types.str;
           };
           private_key = mkOption {
             type = types.absolute-pathname;
-            default = toString <secrets> + "/${config.domain}.dkim.priv";
+            default = "${config.krebs.secret.directory}/${dkim.config.domain}.dkim.priv";
             defaultText = "‹secrets/‹domain›.dkim.priv›";
           };
           selector = mkOption {
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
index 79187adfa..0d67120fd 100644
--- a/krebs/3modules/fetchWallpaper.nix
+++ b/krebs/3modules/fetchWallpaper.nix
@@ -40,7 +40,7 @@ let
     };
   };
 
-  fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
+  fetchWallpaperScript = pkgs.writers.writeDash "fetchWallpaper" ''
     set -euf
 
     mkdir -p ${cfg.stateDir}
diff --git a/krebs/3modules/github/hosts-sync.nix b/krebs/3modules/github/hosts-sync.nix
index 6f9aee0ce..2f373f9bc 100644
--- a/krebs/3modules/github/hosts-sync.nix
+++ b/krebs/3modules/github/hosts-sync.nix
@@ -22,7 +22,7 @@ let
     };
     ssh-identity-file = mkOption {
       type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
-      default = toString <secrets/github-hosts-sync.ssh.id_ed25519>;
+      default = "${config.krebs.secret.directory}/github-hosts-sync.ssh.id_ed25519";
       defaultText = "‹secrets/github-hosts-sync.ssh.id_ed25519›";
     };
     url = mkOption {
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index c1c5b68c8..32a5273a5 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -177,7 +177,7 @@ let
       ${buildTables iptables-version cfg.tables}
     '';
 
-  startScript = pkgs.writeDash "krebs-iptables_start" ''
+  startScript = pkgs.writers.writeDash "krebs-iptables_start" ''
     set -euf
     iptables-restore < ${rules "v4"}
     ip6tables-restore < ${rules "v6"}
diff --git a/krebs/3modules/power-action.nix b/krebs/3modules/power-action.nix
index 71e2b541a..a9ed24d3f 100644
--- a/krebs/3modules/power-action.nix
+++ b/krebs/3modules/power-action.nix
@@ -60,7 +60,7 @@ let
     };
   };
 
-  startScript = pkgs.writeDash "power-action" ''
+  startScript = pkgs.writers.writeDash "power-action" ''
     set -euf
 
     power="$(${powerlvl})"
@@ -77,11 +77,11 @@ let
   writeRule = _: plan:
     "if [ $power -ge ${toString plan.lowerLimit} ] && [ $power -le ${toString plan.upperLimit} ] ${charging_check plan}; then ${plan.action}; fi";
 
-  powerlvl = pkgs.writeDash "powerlvl" ''
+  powerlvl = pkgs.writers.writeDash "powerlvl" ''
     cat /sys/class/power_supply/${cfg.battery}/capacity
   '';
 
-  state = pkgs.writeDash "state" ''
+  state = pkgs.writers.writeDash "state" ''
     if [ "$(cat /sys/class/power_supply/${cfg.battery}/status)" = "Discharging" ]
       then echo "false"
       else echo "true"
diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix
index a6de3f3f6..5208d91ae 100644
--- a/krebs/3modules/repo-sync.nix
+++ b/krebs/3modules/repo-sync.nix
@@ -123,7 +123,7 @@ let
 
     privateKeyFile = mkOption {
       type = types.absolute-pathname;
-      default = toString <secrets> + "/repo-sync.ssh.key";
+      default = "${config.krebs.secret.directory}/repo-sync.ssh.key";
       defaultText = "‹secrets/repo-sync.ssh.key›";
     };
 
diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix
index c9ea8a619..bd7e7c5f6 100644
--- a/krebs/3modules/retiolum-bootstrap.nix
+++ b/krebs/3modules/retiolum-bootstrap.nix
@@ -14,12 +14,12 @@ in
     sslCertificate = mkOption {
         type = types.str;
         description = "Certificate file to use for ssl";
-        default = "${toString <secrets>}/tinc.krebsco.de.crt" ;
+        default = "${config.krebs.secret.directory}/tinc.krebsco.de.crt" ;
     };
     sslCertificateKey = mkOption {
         type = types.str;
         description = "Certificate key to use for ssl";
-        default = "${toString <secrets>}/tinc.krebsco.de.key";
+        default = "${config.krebs.secret.directory}/tinc.krebsco.de.key";
     };
     # in use:
     #  <secrets/tinc.krebsco.de.crt>
diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix
index 58f3a3c10..aba825c29 100644
--- a/krebs/3modules/ssh.nix
+++ b/krebs/3modules/ssh.nix
@@ -4,32 +4,9 @@ let
   cfg = config.krebs;
 
   out = {
-    options.krebs = api;
     config = lib.mkIf cfg.enable imp;
   };
 
-  api = {
-    zone-head-config  = mkOption {
-      type = with types; attrsOf str;
-      description = ''
-        The zone configuration head which is being used to create the
-        zone files. The string for each key is pre-pended to the zone file.
-      '';
-      # TODO: configure the default somewhere else,
-      # maybe use krebs.dns.providers
-      default = {
-
-        # github.io -> 192.30.252.154
-        "krebsco.de" = ''
-          $TTL 86400
-          @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
-                                IN NS     ns19.ovh.net.
-                                IN NS     dns19.ovh.net.
-        '';
-      };
-    };
-  };
-
   imp = lib.mkMerge [
     {
       services.openssh.hostKeys =
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 2f9efad46..9df368cfb 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -149,7 +149,7 @@ with import ../../lib/pure.nix { inherit lib; }; {
 
         privkey = mkOption {
           type = types.absolute-pathname;
-          default = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
+          default = "${config.krebs.secret.directory}/${tinc.config.netname}.rsa_key.priv";
           defaultText = "‹secrets/‹netname›.rsa_key.priv›";
         };
 
@@ -158,7 +158,7 @@ with import ../../lib/pure.nix { inherit lib; }; {
           default =
             if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null
               then null
-              else toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv";
+              else "${config.krebs.secret.directory}/${tinc.config.netname}.ed25519_key.priv";
           defaultText = "‹secrets/‹netname›.ed25519_key.priv›";
         };
 
diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix
index 7771d3b51..e68482d77 100644
--- a/krebs/3modules/zones.nix
+++ b/krebs/3modules/zones.nix
@@ -1,6 +1,25 @@
 { config, pkgs, lib, ... }:
 with lib; {
 
+  options.krebs.zone-head-config = mkOption {
+    type = lib.types.attrsOf lib.types.str;
+    description = ''
+      The zone configuration head which is being used to create the
+      zone files. The string for each key is pre-pended to the zone file.
+    '';
+    default = {
+      "krebsco.de" = /* bindzone */ ''
+        $TTL 60
+        @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600
+        @ 3600 IN NS ns1
+        @ 3600 IN NS ni
+        @ 3600 IN NS ns2.he.net.
+        @ 3600 IN NS ns3.he.net.
+        @ 3600 IN NS ns2.hosting.de.
+      '';
+    };
+  };
+
   config = {
     environment.etc =
       mapAttrs'