44 lines
928 B
Nix
44 lines
928 B
Nix
{
|
|
inputs,
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
|
|
with lib;
|
|
let
|
|
cfg = config.modules.secrets;
|
|
secrets = inputs.secrets;
|
|
in
|
|
{
|
|
options.modules.secrets = {
|
|
enable = mkEnableOption "secrets";
|
|
defaultFile = mkOption {
|
|
type = types.str;
|
|
default = "${secrets}/secrets/common.enc.yaml";
|
|
description = ''
|
|
The default file to use for SOPS.
|
|
'';
|
|
};
|
|
secrets = mkOption {
|
|
type = types.attrs;
|
|
default = { };
|
|
description = ''
|
|
All secrets that should be made available.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
# Set up SOPS
|
|
# TODO: Fix the key not being present in /etc/sops before sops-nix runs
|
|
sops.defaultSopsFile = cfg.defaultFile;
|
|
sops.age.sshKeyPaths = [
|
|
"/etc/sops/sops_ed25519_key"
|
|
"/persist/system/etc/sops/sops_ed25519_key"
|
|
];
|
|
sops.secrets = cfg.secrets;
|
|
modules.impermanence.directories = [ "/etc/sops" ];
|
|
};
|
|
}
|