ctucx.git: nixfiles

secrets: rename `global` -> `allNodes`, camelCase for certs

diff --git a/configurations/nixos/configure/smarthome/mqtt-webui/default.nix b/configurations/nixos/configure/smarthome/mqtt-webui/default.nix
@@ -11,7 +11,7 @@
       forceSSL    = true;
       kTLS        = true;
       extraConfig = ''
-        ssl_client_certificate ${../../../../../secrets/certs/root_ca.crt};
+        ssl_client_certificate ${../../../../../secrets/certs/rootCA.crt};
         ssl_verify_client on;
       '';
 

diff --git a/configurations/nixos/configure/smarthome/zigbee2mqtt.nix b/configurations/nixos/configure/smarthome/zigbee2mqtt.nix
@@ -33,7 +33,7 @@
         forceSSL    = true;
         kTLS        = true;
         extraConfig = ''
-          ssl_client_certificate ${../../../../secrets/certs/root_ca.crt};
+          ssl_client_certificate ${../../../../secrets/certs/rootCA.crt};
           ssl_verify_client on;
         '';
         locations."/" = {

diff --git a/configurations/nixos/default.nix b/configurations/nixos/default.nix
@@ -20,7 +20,7 @@ in {
   i18n.defaultLocale    = "en_US.UTF-8";
   i18n.supportedLocales = [ "de_DE.UTF-8/UTF-8" "en_US.UTF-8/UTF-8" ];
 
-  age.secrets.katjaPassword.file = secrets.global.passwords.katja;
+  age.secrets.katjaPassword.file = secrets.allNodes.passwords.katja;
   age.secrets.acmeTSIGKey.file   = secrets."${config.networking.hostName}".acmeTSigKey;
 
   system = {

diff --git a/configurations/nixos/services/ca/default.nix b/configurations/nixos/services/ca/default.nix
@@ -24,8 +24,8 @@
     settings = {
       insecureAddress   = "[::1]:9001";
       logger.format     = "text";
-      root              = ../../../../secrets/certs/root_ca.crt;
-      crt               = ../../../../secrets/certs/intermediate_ca.crt;
+      root              = ../../../../secrets/certs/rootCA.crt;
+      crt               = ../../../../secrets/certs/intermediateCA.crt;
       key               = "yubikey:slot-id=83";
       kms.type          = "yubikey";
       kms.pin           = "123456";

@@ -40,7 +40,7 @@
       tls.renegotiation = false;
       authority         = {
         provisioners = let
-          adminCA = ctucxLib.toBase64 (builtins.readFile ../../../../secrets/certs/admin_ca.crt);
+          adminCA = ctucxLib.toBase64 (builtins.readFile ../../../../secrets/certs/adminCA.crt);
         in [
           {
             type  = "X5C";

diff --git a/configurations/nixos/services/syncthingNginx.nix b/configurations/nixos/services/syncthingNginx.nix
@@ -20,7 +20,7 @@
     forceSSL    = true;
     kTLS        = true;
     extraConfig = ''
-      ssl_client_certificate ${../../../secrets/certs/root_ca.crt};
+      ssl_client_certificate ${../../../secrets/certs/rootCA.crt};
       ssl_verify_client on;
     '';
     locations."/" = {

diff --git a/machines/briefkasten/default.nix b/machines/briefkasten/default.nix
@@ -44,8 +44,8 @@
       ctucxConfig.homeManager.programs.ocrmypdf
     ];
 
-    age.secrets.restic-server-briefkasten.file = secrets.resticServer.briefkasten;
-    age.secrets.restic-server-wanderduene.file = secrets.resticServer.wanderduene;
+    age.secrets.resticServerBriefkasten.file = secrets.allNodes.resticServer.briefkasten;
+    age.secrets.resticServerWanderduene.file = secrets.allNodes.resticServer.wanderduene;
 
     dns.zones."ctu.cx".subdomains = {
       briefkasten.AAAA        = [ node.ip6Address ];

diff --git a/machines/hector/default.nix b/machines/hector/default.nix
@@ -58,8 +58,8 @@
 
     dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = dnsNix.combinators.host node.ip4Address node.ip6Address;
 
-    age.secrets.restic-server-briefkasten.file = secrets.resticServer.briefkasten;
-    age.secrets.restic-server-wanderduene.file = secrets.resticServer.wanderduene;
+    age.secrets.resticServerBriefkasten.file = secrets.allNodes.resticServer.briefkasten;
+    age.secrets.resticServerWanderduene.file = secrets.allNodes.resticServer.wanderduene;
 
     boot.initrd.network = {
       enable = true;

diff --git a/machines/trabbi/default.nix b/machines/trabbi/default.nix
@@ -29,8 +29,8 @@
 
     dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (dnsNix.combinators.host node.ip4Address node.ip6Address);
 
-    age.secrets.restic-server-briefkasten.file = secrets.resticServer.briefkasten;
-    age.secrets.restic-server-wanderduene.file = secrets.resticServer.wanderduene;
+    age.secrets.resticServerBriefkasten.file = secrets.allNodes.resticServer.briefkasten;
+    age.secrets.resticServerWanderduene.file = secrets.allNodes.resticServer.wanderduene;
 
     boot.initrd.network = {
       enable = true;

diff --git a/modules/nixos/restic-backups.nix b/modules/nixos/restic-backups.nix
@@ -100,11 +100,11 @@ in {
                 cp ${backup.passwordFile} /tmp/passwordFile;
 
                 ${if builtins.elem "briefkasten.ctu.cx" backup.targets then ''
-                  cp /run/agenix/restic-server-briefkasten /tmp/briefkasten.ctu.cx;
+                  cp /run/agenix/resticServerBriefkasten /tmp/briefkasten.ctu.cx;
                 '' else "" }
 
                 ${if builtins.elem "wanderduene.ctu.cx" backup.targets then ''
-                  cp /run/agenix/restic-server-wanderduene /tmp/wanderduene.ctu.cx;
+                  cp /run/agenix/resticServerWanderduene /tmp/wanderduene.ctu.cx;
                 '' else "" }
 
                 chown -R ${backup.user} /tmp

diff --git a/secrets/global/passwords/katja.age b/secrets/allNodes/passwords/katja.age

diff --git a/secrets/global/passwords/leah-at-f2k1-de.age b/secrets/allNodes/passwords/leah-at-f2k1-de.age

diff --git a/secrets/resticServer/briefkasten.age b/secrets/allNodes/resticServer/briefkasten.age

diff --git a/secrets/resticServer/wanderduene.age b/secrets/allNodes/resticServer/wanderduene.age

diff --git a/secrets/certs/admin_ca.crt b/secrets/certs/adminCA.crt

diff --git a/secrets/certs/intermediate_ca.crt b/secrets/certs/intermediateCA.crt

diff --git a/secrets/certs/root_ca.crt b/secrets/certs/rootCA.crt