From 5addb3821db985e2783ad084e3dbba9275443b51 Mon Sep 17 00:00:00 2001
From: Yorick Barbanneau <ephase@xieme-art.org>
Date: Tue, 12 Aug 2025 03:14:55 +0200
Subject: [PATCH 1/2] feat(dav): use pricate input to handle secrets

---
 modules/home-manager/accounts/dav/default.nix | 74 ++++++++-----------
 1 file changed, 31 insertions(+), 43 deletions(-)

diff --git a/modules/home-manager/accounts/dav/default.nix b/modules/home-manager/accounts/dav/default.nix
index 1282443..ddb3f4a 100644
--- a/modules/home-manager/accounts/dav/default.nix
+++ b/modules/home-manager/accounts/dav/default.nix
@@ -1,36 +1,23 @@
-{ lib, config, ... }:
+{ lib, config, inputs, pkgs, ... }:
 with lib;
 let
-  cfg = config.modules.accounts.dav;
+  cfg = config.modules.dav;
+  secretsDirectory = "${(builtins.toString inputs.nix-private)}/secrets";
   vdirsyncerConf = {
-        enable = true;
-        auth = "basic";
-        userNameCommand = [
-          "cat"
-          "${config.sops.secrets."webdav/username".path}"
-        ];
+    enable = true;
+    auth = "basic";
   };
 in
 {
-  options.modules.accounts.dav = {
+  options.modules.dav = {
     enable = mkEnableOption "enable personal Caldav / CardDav";
   };
   config = mkIf cfg.enable {
-    
-    ## Manage secrets used in this module
+
     sops = {
       secrets = {
-        "webdav/url/caldav" = {
-          sopsFile = ../../../../secrets/accounts.yaml;
-        };
-        "webdav/url/carddav" = {
-          sopsFile = ../../../../secrets/accounts.yaml;
-        };
-        "webdav/username" = {
-          sopsFile = ../../../../secrets/accounts.yaml;
-        };
-        "webdav/password" = {
-          sopsFile = ../../../../secrets/accounts.yaml;
+        "${inputs.nix-private.dav.personal.secret.key}" = {
+            sopsFile = "${secretsDirectory}/${inputs.nix-private.dav.personal.secret.file}";
         };
       };
     };
@@ -38,11 +25,15 @@ in
     accounts.calendar.basePath = ".local/share/calendars";
     accounts.calendar.accounts.personal_calendars = {
       name = "personal_calendar";
-      remote.type = "caldav"; 
-      remote.passwordCommand = [
-        "cat"
-        "${config.sops.secrets."webdav/password".path}"
-      ];
+      remote = {
+        type = "caldav";
+        url = inputs.nix-private.dav.personal.caldavUrl;
+        userName = inputs.nix-private.dav.personal.userName;
+        passwordCommand = [
+          "${pkgs.coreutils}/bin/cat"
+          "${config.sops.secrets."${inputs.nix-private.dav.personal.secret.key}".path}"
+        ];
+      };
       vdirsyncer = vdirsyncerConf // {
         metadata = [
           "color"
@@ -52,10 +43,6 @@ in
           "VTODO"
           "VEVENT"
         ];
-        urlCommand = [
-          "cat"
-          "${config.sops.secrets."webdav/url/caldav".path}"
-        ];
         collections = [
           "from a"
           "from b"
@@ -70,22 +57,23 @@ in
 
     accounts.contact.basePath = ".local/share/contacts";
     accounts.contact.accounts.personal_contacts = {
-      remote.type = "carddav"; 
-      remote.passwordCommand = [
-        "cat"
-        "${config.sops.secrets."webdav/password".path}"
-      ];
-      local.type = "filesystem";
-      local.fileExt = ".vcf";
+      remote = {
+        type = "carddav";
+        url = inputs.nix-private.dav.personal.carddavUrl;
+        userName = inputs.nix-private.dav.personal.userName;
+        passwordCommand = [
+          "${pkgs.coreutils}/bin/cat"
+          "${config.sops.secrets."${inputs.nix-private.dav.personal.secret.key}".path}"
+        ];
+      };
+      local = {
+        type = "filesystem";
+        fileExt = ".vcf";
+      };
       vdirsyncer = vdirsyncerConf // {
-
         metadata = [
           "displayname"
         ];
-        urlCommand = [
-          "cat" 
-          "${config.sops.secrets."webdav/url/carddav".path}"
-        ];
       };
       khal = {
         enable = true;

From 99952316127ffcef4810864dd607862a1d0cc972 Mon Sep 17 00:00:00 2001
From: Yorick Barbanneau <ephase@xieme-art.org>
Date: Tue, 12 Aug 2025 03:16:10 +0200
Subject: [PATCH 2/2] chore: remove sops

---
 .sops.yaml            | 14 -------------
 secrets/accounts.yaml | 46 -------------------------------------------
 2 files changed, 60 deletions(-)
 delete mode 100644 .sops.yaml
 delete mode 100644 secrets/accounts.yaml

diff --git a/.sops.yaml b/.sops.yaml
deleted file mode 100644
index aa3f5f4..0000000
--- a/.sops.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-# This example uses YAML anchors which allows reuse of multiple keys 
-# without having to repeat yourself.
-# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
-# for a more complex example.
-keys:
-  - &ephase 26D5035DF6B4BE70F2B51B4C178139E02D2ACF00
-  - &luci age19kvatn3zpeqh9zy7u8ce0hqe7dyaesxrukewxt8u7pf4cqkj5dfqm5nlwy
-creation_rules:
-  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-    - age:
-      - *luci
-      pgp:
-      - *ephase
diff --git a/secrets/accounts.yaml b/secrets/accounts.yaml
deleted file mode 100644
index f1d11e4..0000000
--- a/secrets/accounts.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-webdav:
-    url:
-        caldav: ENC[AES256_GCM,data:UMoSLlEhxtJ/80wIQlGaqfu/OI4JXodSLYySwAyJJg==,iv:WTGZ8mq3huVEPMNOBDGdghy994Z5vCzvVDMvp5djnlw=,tag:s34QZVjqvNiQT/P9SVCeUw==,type:str]
-        carddav: ENC[AES256_GCM,data:oGLZ4c02b4wiYCqhyQzC1NG210BUpSpSqibi7xvtIjHhW/X4wvYU5QPm2VKCrJYpvqIEeiah1TDwvByqLpBz5d8Ucyme,iv:cwaWTvdS5eEGmwm5+n2N31ajzAXPix4woXECUqXtk3E=,tag:jRK3viRDzwd5JmNh6UVt2A==,type:str]
-    username: ENC[AES256_GCM,data:Z/QVE3Di,iv:pRBgv/K+VzbF5/iaftTDoxZWjvVztPznLJ5LKpKQaoM=,tag:rCw9mLFtzhpp5vO5eVKqvA==,type:str]
-    password: ENC[AES256_GCM,data:X7hjL2VczjPGKF4n2g==,iv:BwqXZ3h+EIHU+Cvx8gDYhgd2NiBkednUz+ksp40sYas=,tag:ngbtcYsfOxvTTcftBE+lMg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age19kvatn3zpeqh9zy7u8ce0hqe7dyaesxrukewxt8u7pf4cqkj5dfqm5nlwy
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRk1KamJ3clA4QTBZT3BL
-            blZGaVNQb2tWMTkrWUxicm9PdXV6RTJJbXh3ClJJQTJON3BBRGJ4RWg1UnRQNVoy
-            bFllM0E1djlOUTVRQ1lZc1JEQS9YNXcKLS0tIEhac3FpUVd6TW9pbUMyNlAzbk5P
-            dGZkOExNbTRuS0NvaDgzUmlFRVNvckEK7PSVxtaDd/3yWIIuAMcX586imRu/On09
-            duwFZ5btOY2fxNYgV9sCG7Vr+OGCO8n9OWBS9hLy7MJwAzi/f5l7Fg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-20T16:25:53Z"
-    mac: ENC[AES256_GCM,data:4vNjXD26LeHv00B4gDumkUzq7Us9HRWv79Wq3iyTeDjKOXw9lluIQIZsDB1aQS90dTNCEvlbZ6pt1oHRqGySpDcKHId6rsUy9qkeLl683haKKilT47ABpGiMd2sY6xL1FQPiXMH4qc7wxh+EuS0N6Y+mgIY9Kn0qP6ion1s/lqs=,iv:JZ5lnJKBXQeKadihHyItueHDO6zULVMLSPmGCe+Qlz4=,tag:+bh08XI2TWov6yQJ1+KtoA==,type:str]
-    pgp:
-        - created_at: "2024-06-24T20:12:19Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA9/d8qUtz+3ZAQ/7BoojnrnGgF4TEnFTJMWVy229Cx1knABVot45A1frFWmS
-            kwIGPGQPlCjGF4tyIOmBy8WpQWBuKffYakCC/OklHCyfnLjsyhcR+MSqDVzqMmy3
-            dEThTcGPRCerM1Mu8oWPk0yq5AKzuJagr9+4ITrljsh6tRwA4qmfKxQ6BZhGPQHJ
-            3FZwcQHfaDkuag3o5swNKHX//MIZwEDyXJHKgeTUPhENzc0POdjPU5CZN0HBU4ep
-            98PJAlAiDKyYSQkg1MfOWvCllyfvhGPzTLEPq5jazqpc7lgNKxJGU5kTnUUi2fKS
-            gCJdqRlMBO/3S8wUZg0gIsw1+OwmfL0y99MeMP1ggGaqFkGs6Pqj7sRd6/QcuP0l
-            w2QZgB9S6DOUkfy5m5Xw7VboE2aAX4BOrWNJVDy//358322xxuqZdbp3pIjnsmt/
-            b2gTZb1eGK/o5GmXfgzCf7In1b3wldg/ZSHyxGct1CJIgNBb1nFDMmyVI9J5zER0
-            2ZTflNfN/cxttW2BvGRoL3fWXnO+ThLHz1q1WWWCOC7TLTnESOtAueSCTlrMcij/
-            7zL7Wc98JgdAuxhznMjiYqY9nZK48jhBCBOdC0uool/FNElcStUaOq1O3HRo5qoi
-            s277Wqtp0uZqeLBxgNEGwicEDm9BbrVzH9egYGMaPJI6STIJYduJXBegnPf5KFXS
-            XgHTJyK7u9MrZ58kkiT95455NEqQd27JMqmsGwReX6/LpYs5KJJGT4qGNab8GM5A
-            VMniFb1GOXIOxSbYgfkgaHc+zK43O5UwBwegOneTC6ak/CQYvD9xQS94FKqwF10=
-            =7pZ/
-            -----END PGP MESSAGE-----
-          fp: 26D5035DF6B4BE70F2B51B4C178139E02D2ACF00
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1