Switch back to strings for secret files (no copy to nixstore)

config/host-config/limina.nix

@@ -61,7 +61,7 @@ in {
 
       secrets.limina = {
         backplane-client-passwd = {
-          source-file = /srv/secrets/backplane-client/limina.passwd;
+          source-file = "/srv/secrets/backplane-client/limina.passwd";
           target-file = "/srv/backplane/dns/client.passwd";
           user = config.fudo.client.dns.user;
         };

config/host-config/procul.nix

@@ -73,19 +73,19 @@ in {
 
     secrets.procul = {
       backplane-client-passwd = {
-        source-file = /srv/secrets/backplane-client/procul.passwd;
+        source-file = "/srv/secrets/backplane-client/procul.passwd";
         target-file = "/srv/backplane/dns/client.passwd";
         user = config.fudo.client.dns.user;
       };
 
       postgres-keytab = {
-        source-file = /srv/secrets/kerberos/procul-postgres.keytab;
+        source-file = "/srv/secrets/kerberos/procul-postgres.keytab";
         target-file = "/srv/postgres/secure/postgres.keytab";
         user = "root";
       };
 
       gitea-database-password = {
-        source-file = /srv/secrets/gitea/procul-database.passwd;
+        source-file = "/srv/secrets/gitea/procul-database.passwd";
         target-file = "/srv/gitea/secure/database.passwd";
         user = config.fudo.git.user;
       };

lib/fudo/secrets.nix

@@ -57,7 +57,7 @@ let
   secretOpts = { ... }: {
     options = with types; {
       source-file = mkOption {
-        type = path;
+        type = str;
         description = "File from which to load the secret.";
       };