2025-05-30 13:56:50 +02:00
|
|
|
{
|
|
|
|
|
inputs,
|
|
|
|
|
lib,
|
|
|
|
|
config,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
let
|
|
|
|
|
cfg = config.modules.secrets;
|
|
|
|
|
secrets = inputs.secrets;
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
options.modules.secrets = {
|
|
|
|
|
enable = mkEnableOption "secrets";
|
|
|
|
|
defaultFile = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "${secrets}/secrets/common.enc.yaml";
|
|
|
|
|
description = ''
|
|
|
|
|
The default file to use for SOPS.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
secrets = mkOption {
|
|
|
|
|
type = types.attrs;
|
|
|
|
|
default = { };
|
|
|
|
|
description = ''
|
|
|
|
|
All secrets that should be made available.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
# Set up SOPS
|
2025-05-30 16:08:51 +02:00
|
|
|
# TODO: Fix the key not being present in .config/sops before sops-nix runs
|
2025-05-30 13:56:50 +02:00
|
|
|
sops.defaultSopsFile = cfg.defaultFile;
|
2025-05-30 16:08:51 +02:00
|
|
|
sops.age.sshKeyPaths = [
|
|
|
|
|
"${config.home.homeDirectory}/.config/sops/sops_ed25519_key"
|
|
|
|
|
# "/persist/home/${config.home.username}/.config/sops/sops_ed25519_key"
|
|
|
|
|
];
|
2025-05-30 13:56:50 +02:00
|
|
|
sops.secrets = cfg.secrets;
|
2025-05-30 15:11:22 +02:00
|
|
|
modules.impermanence.directories = [ ".config/sops" ];
|
2025-05-30 13:56:50 +02:00
|
|
|
};
|
|
|
|
|
}
|
