blob: 2ee5753f5abf26ba651f4c7b14d954512342bd6d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
{
config,
inputs,
lib,
pkgs,
this,
...
}:
with lib; {
imports = [
inputs.agenix.nixosModules.default
(mkAliasOptionModule ["secrets"] ["age" "secrets"])
];
config = {
age = {
identityPaths =
if this.isHeadful
then ["${config.my.home}/.ssh/id_${my.ssh.type}"]
else
map (attr: attr.path) (filter (attr: attr.type == my.ssh.type)
config.services.openssh.hostKeys);
# This can be used to auto-add all secrets, thus eliminating the need to
# specify path to each envrypted file. The drawback is that this will
# expose *all* secrets to all machines and try to decrypt them all even on
# machines where the secret will not be used.
#
# secrets =
# let
# secretsSourceDir = "${inputs.self}/age";
# in
# mapAttrs'
# (name: _:
# nameValuePair name {
# file = "${secretsSourceDir}/${name}";
# owner = mkDefault my.username;
# group = mkDefault config.my.group;
# })
# (builtins.readDir secretsSourceDir);
};
environment.systemPackages = with pkgs; [agenix];
};
}
|
