Added a module for SOPS

2025-05-30 13:56:50 +02:00 · 2025-05-30 13:56:50 +02:00 · d53e395d42
commit d53e395d42
parent cb39f82a48
4 changed files with 85 additions and 2 deletions
--- a/modules/home/utilities/secrets.nix
+++ b/modules/home/utilities/secrets.nix
@ -0,0 +1,39 @@
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
+
+with lib;
+let
+  cfg = config.modules.secrets;
+  secrets = inputs.secrets;
+in
+{
+  options.modules.secrets = {
+    enable = mkEnableOption "secrets";
+    defaultFile = mkOption {
+      type = types.str;
+      default = "${secrets}/secrets/common.enc.yaml";
+      description = ''
+        The default file to use for SOPS.
+      '';
+    };
+    secrets = mkOption {
+      type = types.attrs;
+      default = { };
+      description = ''
+        All secrets that should be made available.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Set up SOPS
+    sops.defaultSopsFile = cfg.defaultFile;
+    sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.config/sops/sops_ed25519_key" ];
+    sops.secrets = cfg.secrets;
+    modules.impermanence.directories = [ ".config/" ];
+  };
+}
--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@ -0,0 +1,39 @@
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
+
+with lib;
+let
+  cfg = config.modules.secrets;
+  secrets = inputs.secrets;
+in
+{
+  options.modules.secrets = {
+    enable = mkEnableOption "secrets";
+    defaultFile = mkOption {
+      type = types.str;
+      default = "${secrets}/secrets/common.enc.yaml";
+      description = ''
+        The default file to use for SOPS.
+      '';
+    };
+    secrets = mkOption {
+      type = types.attrs;
+      default = { };
+      description = ''
+        All secrets that should be made available.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Set up SOPS
+    sops.defaultSopsFile = cfg.defaultFile;
+    sops.age.sshKeyPaths = [ "/etc/sops/sops_ed25519_key" ];
+    sops.secrets = cfg.secrets;
+    modules.impermanence.directories = [ "/etc/sops" ];
+  };
+}
--- a/profiles/nixos/base.nix
+++ b/profiles/nixos/base.nix
@ -1,5 +1,4 @@
 {
-  mkModule,
  pkgs,
  lib,
  config,
--- a/profiles/nixos/vm.nix
+++ b/profiles/nixos/vm.nix
@ -1,5 +1,4 @@
 {
-  mkModule,
  pkgs,
  lib,
  config,
@ -30,6 +29,13 @@ in
          zfs rollback -r tank/root@blank
        '';
      };
+      secrets = {
+        enable = true;
+        secrets = {
+          "ssh-keys/deploy/private-key" = { };
+          "ssh-keys/deploy/public-key" = { };
+        };
+      };
      ssh.enable = true;
    };