diff options
| author | Mike Vink <mike1994vink@gmail.com> | 2023-10-18 01:18:26 +0200 |
|---|---|---|
| committer | Mike Vink <mike1994vink@gmail.com> | 2023-10-18 01:18:26 +0200 |
| commit | b3c19a2e167ec01a74c691aed0b469bccc4da73f (patch) | |
| tree | da9e947ad4b66c68a073a20aa2ea01ea1d51a21b /profiles/core/secrets.nix | |
| parent | 7a2c06b3ebbc39fd8829a8e28c4640c9bf102667 (diff) | |
machine specific secrets
Diffstat (limited to 'profiles/core/secrets.nix')
| -rw-r--r-- | profiles/core/secrets.nix | 36 |
1 files changed, 22 insertions, 14 deletions
diff --git a/profiles/core/secrets.nix b/profiles/core/secrets.nix index fc11563..f0897be 100644 --- a/profiles/core/secrets.nix +++ b/profiles/core/secrets.nix @@ -1,4 +1,20 @@ -{machine,inputs,config,lib,pkgs,...}: with lib; { +{machine,inputs,config,lib,pkgs,...}: with lib; +let + getSecrets = dir: + mapAttrs' (name: _: let + parts = splitString "." name; + base = head parts; + format = if length parts > 1 then elemAt parts 1 else "binary"; + in nameValuePair base { + sopsFile = "${dir}/${name}"; + inherit format; + key = machine.hostname; + }) (if (filesystem.pathIsDirectory dir) then + (filterAttrs (n: v: v != "directory") (builtins.readDir dir)) + else + {}); +in +{ imports = [ inputs.sops-nix.nixosModules.sops (mkAliasOptionModule [ "secrets" ] [ "sops" "secrets" ]) # TODO: get my username(s) from machine config @@ -7,19 +23,11 @@ age.sshKeyPaths = []; age.keyFile = mkIf (machine.hostname == "lemptop") "${config.hm.xdg.configHome}/sops/age/keys.txt"; - secrets = mapAttrs' (name: _: let - parts = splitString "." name; - base = head parts; - format = if length parts > 1 then elemAt parts 1 else "binary"; - in - { - name = base; - value = { - sopsFile = "${inputs.self}/secrets/${name}"; - inherit format; - key = machine.hostname; - }; - }) (builtins.readDir "${inputs.self}/secrets"); # keep it out of the store + secrets = attrsets.mergeAttrsList + [ + (getSecrets "${inputs.self}/secrets") + (getSecrets "${inputs.self}/secrets/${machine.hostname}") + ]; }; environment = { |