about summary refs log tree commit diff
path: root/modules/secrets/default.nix
blob: 2d8998adde27687601dcf4b4e233813578bc90fe (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
{ config, inputs, lib, options, ... }:
with builtins;
with lib;
let
  secretsDir = "${toString ../../hosts}/${config.networking.hostName}/secrets";
  secretsFile = "${secretsDir}/secrets.nix";
in
{
  imports = [ inputs.agenix.nixosModules.age ];

  config.age = {
    secrets =
      let
        toName = lib.removeSuffix ".age";
        userExists = u: builtins.hasAttr u config.users.users;
        groupExists = g: builtins.hasAttr g config.users.groups;

        # Only set the user and/or group if they exist, to avoid
        # warnings. If they don't exist, we default to root.
        userIfExists = u: if userExists u then u else "root";
        groupIfExists = g: if groupExists g then g else "root";

        toSecret = name: attrs:
          {
            file = "${secretsDir}/${name}";
          } // lib.optionalAttrs (attrs ? owner) {
            owner = lib.mkDefault (userIfExists attrs.owner);
          } // lib.optionalAttrs (attrs ? group) {
            group = lib.mkDefault (groupIfExists attrs.group);
          } // lib.optionalAttrs (attrs ? mode) {
            inherit (attrs) mode;
          } // lib.optionalAttrs (attrs ? path) {
            inherit (attrs) path;
          };
      in
      if pathExists secretsFile then
        mapAttrs' (n: v: nameValuePair (toName n) (toSecret n v))
          (import secretsFile)
      else
        { };
    identityPaths = options.age.identityPaths.default ++ (filter pathExists
      [ "${config.users.users.fcuny.home}/.ssh/id_ed25519" ]);
  };
}