52 lines
1.2 KiB
Nix
52 lines
1.2 KiB
Nix
{
|
|
config,
|
|
inputs,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.flake;
|
|
inherit (builtins) readFile;
|
|
inherit (lib.meta) getExe;
|
|
inherit (lib.strings) trim;
|
|
inherit (cfg.admin) username pubkey;
|
|
in
|
|
{
|
|
flake.modules.nixos.default =
|
|
{ config, ... }:
|
|
{
|
|
imports = [ inputs.sops-nix.nixosModules.sops ];
|
|
config.sops = {
|
|
defaultSopsFile = "${cfg.root}/secrets/secrets.yaml";
|
|
age.sshKeyPaths = [
|
|
"/persist${config.users.defaultUserHome}/${username}/.ssh/id_ed25519"
|
|
];
|
|
};
|
|
};
|
|
perSystem =
|
|
{ pkgs, ... }:
|
|
{
|
|
files.files = [
|
|
{
|
|
path_ = ".sops.yaml";
|
|
drv =
|
|
pkgs.writeText ".sops.yaml" # yaml
|
|
''
|
|
keys:
|
|
- &${username} ${trim (
|
|
readFile "${
|
|
pkgs.runCommand "" { } ''
|
|
mkdir $out; echo ${pubkey} | ${getExe pkgs.ssh-to-age} > $out/agepubkey
|
|
''
|
|
}/agepubkey"
|
|
)}
|
|
creation_rules:
|
|
- path_regex: \.(yaml)$
|
|
key_groups:
|
|
- age:
|
|
- *${username}
|
|
'';
|
|
}
|
|
];
|
|
};
|
|
}
|