From 8f137c28230623259a964484adcf31fe00756594 Mon Sep 17 00:00:00 2001
From: Azat Bahawi <azat@bahawi.net>
Date: Sat, 17 Dec 2022 16:39:09 +0300
Subject: 2022-12-17

---
 modules/nixos/common/secrets.nix | 45 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 modules/nixos/common/secrets.nix

(limited to 'modules/nixos/common/secrets.nix')

diff --git a/modules/nixos/common/secrets.nix b/modules/nixos/common/secrets.nix
new file mode 100644
index 0000000..4fcdc61
--- /dev/null
+++ b/modules/nixos/common/secrets.nix
@@ -0,0 +1,45 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  this,
+  ...
+}:
+with lib; {
+  imports = [
+    inputs.agenix.nixosModule
+    (mkAliasOptionModule ["secrets"] ["age" "secrets"])
+  ];
+
+  config = {
+    age = {
+      identityPaths =
+        if this.isHeadful
+        then ["${config.my.home}/.ssh/id_${my.ssh.type}"]
+        else
+          map (attr: attr.path) (filter (attr: attr.type == my.ssh.type)
+            config.services.openssh.hostKeys);
+
+      # This can be used to auto-add all secrets, thus eleminating the need to
+      # specify path to each envrypted file. The drawback is that this will
+      # expose *all* secrets to all machines and try to decrypt them all even on
+      # machines where the secret will not be used.
+      #
+      # secrets =
+      #   let
+      #     secretsSourceDir = "${inputs.self}/age";
+      #   in
+      #   mapAttrs'
+      #     (name: _:
+      #       nameValuePair name {
+      #         file = "${secretsSourceDir}/${name}";
+      #         owner = mkDefault my.username;
+      #         group = mkDefault config.my.group;
+      #       })
+      #     (builtins.readDir secretsSourceDir);
+    };
+
+    environment.systemPackages = with pkgs; [agenix];
+  };
+}
-- 
cgit 1.4.1