profiles/core/secrets.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

{machine,inputs,config,lib,pkgs,...}: with lib;
let
  getSecrets = dir:
    mapAttrs' (name: _: let
      parts = splitString "." name;
      base = head parts;
      format = if length parts > 1 then elemAt parts 1 else "binary";
    in nameValuePair base {
      sopsFile = "${dir}/${name}";
      inherit format;
      key = machine.hostname;
    }) (if (filesystem.pathIsDirectory dir) then
         (filterAttrs (n: v: v != "directory") (builtins.readDir dir))
        else
        {});
in
{
  imports = [
    inputs.sops-nix.nixosModules.sops
    (mkAliasOptionModule [ "secrets" ] [ "sops" "secrets" ]) # TODO: get my username(s) from machine config
  ];
  config = mkIf (!machine.isFake) {
      sops = {
        secrets = attrsets.mergeAttrsList
            [
                (getSecrets "${inputs.self}/secrets")
                (getSecrets "${inputs.self}/secrets/${machine.hostname}")
            ];
      };

      environment = {
        systemPackages = [
          pkgs.sops
          pkgs.age
        ];
      };

  };
}