about summary refs log tree commit diff
path: root/modules/secrets/default.nix
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/secrets/default.nix29
1 files changed, 29 insertions, 0 deletions
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
new file mode 100644
index 0000000..296f5fc
--- /dev/null
+++ b/modules/secrets/default.nix
@@ -0,0 +1,29 @@
+{ config, inputs, lib, options, ... }:
+with builtins;
+with lib;
+let
+  secretsDir = "${toString ../../hosts}/${config.networking.hostName}/secrets";
+  secretsFile = "${secretsDir}/secrets.nix";
+in {
+  imports = [ inputs.agenix.nixosModules.age ];
+
+  config.age = {
+    secrets = let
+      toName = lib.removeSuffix ".age";
+      userExists = u: builtins.hasAttr u config.users.users;
+      # Only set the user if it exists, to avoid warnings
+      userIfExists = u: if userExists u then u else "root";
+      toSecret = name:
+        { owner ? "root", ... }: {
+          file = "${secretsDir}/${name}";
+          owner = lib.mkDefault (userIfExists owner);
+        };
+    in if pathExists secretsFile then
+      mapAttrs' (n: v: nameValuePair (toName n) (toSecret n v))
+      (import secretsFile)
+    else
+      { };
+    identityPaths = options.age.identityPaths.default ++ (filter pathExists
+      [ "${config.users.users.fcuny.home}/.ssh/id_ed25519" ]);
+  };
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-10-17 14:13:00 +0000