diff --git a/home/modules/anki/default.nix b/home/modules/anki/default.nix index 91580b1c..6d0429f4 100644 --- a/home/modules/anki/default.nix +++ b/home/modules/anki/default.nix @@ -13,10 +13,12 @@ let standalone = osConfig == null; in lib.optionalAttrs standalone { - sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "anki" [ - "sync-user" - "sync-key" - ] { }; + sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null { + anki = [ + "sync-user" + "sync-key" + ]; + }; } // { warnings = lib.optional ( diff --git a/home/modules/taskwarrior/default.nix b/home/modules/taskwarrior/default.nix index 80593b1d..f6958ec5 100644 --- a/home/modules/taskwarrior/default.nix +++ b/home/modules/taskwarrior/default.nix @@ -15,11 +15,13 @@ let in lib.optionalAttrs standalone { sops = { - secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "taskwarrior" [ - "sync-server-url" - "sync-server-client-id" - "sync-encryption-secret" - ] { }; + secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null { + taskwarrior = [ + "sync-server-url" + "sync-server-client-id" + "sync-encryption-secret" + ]; + }; templates."taskrc.d/sync" = { content = '' diff --git a/modules/ai-tools/default.nix b/modules/ai-tools/default.nix index d8c5ed8c..9a009ec4 100644 --- a/modules/ai-tools/default.nix +++ b/modules/ai-tools/default.nix @@ -1,15 +1,14 @@ -{ config, myUtils, ... }: +{ config, ... }: let - inherit (config.secrets) sopsDir; inherit (config.host) username; - owner = config.users.users.${username}.name; + inherit (config.secrets) owner; in { - config.sops = { - secrets = myUtils.mkSopsSecrets sopsDir "opencode" [ "api-key" ] { inherit owner; }; + config = { + secrets.groups.opencode = [ "api-key" ]; - templates."opencode/auth.json" = { + sops.templates."opencode/auth.json" = { inherit owner; path = "/home/${username}/.local/share/opencode/auth.json"; content = '' diff --git a/modules/anki/default.nix b/modules/anki/default.nix index 7da7147c..3700afa8 100644 --- a/modules/anki/default.nix +++ b/modules/anki/default.nix @@ -1,12 +1,6 @@ -{ config, myUtils, ... }: - -let - inherit (config.secrets) sopsDir; - inherit (config.host) username; - owner = config.users.users.${username}.name; -in { - config.sops = { - secrets = myUtils.mkSopsSecrets sopsDir "anki" [ "sync-user" "sync-key" ] { inherit owner; }; - }; + config.secrets.groups.anki = [ + "sync-user" + "sync-key" + ]; } diff --git a/modules/backups/default.nix b/modules/backups/default.nix index 5ff81388..23885f17 100644 --- a/modules/backups/default.nix +++ b/modules/backups/default.nix @@ -1,14 +1,11 @@ { lib, config, - myUtils, ... }: let cfg = config.restic-backup; - inherit (config.secrets) sopsDir; - mkSopsSecrets = myUtils.mkSopsSecrets sopsDir; host = config.networking.hostName; in { @@ -27,21 +24,24 @@ in }; config = lib.mkIf cfg.enable { - sops = { - secrets = lib.mkMerge [ - (mkSopsSecrets "restic" [ "password" ] { }) - (mkSopsSecrets "backblaze-b2" [ "bucket-name" "account-id" "account-key" ] { }) + secrets.groups = { + restic = [ "password" ]; + backblaze-b2 = [ + "bucket-name" + "account-id" + "account-key" ]; - templates = { - "restic/repo-${host}" = { - content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${host}"; - }; - "restic/b2-env-${host}" = { - content = '' - B2_ACCOUNT_ID=${config.sops.placeholder."backblaze-b2/account-id"} - B2_ACCOUNT_KEY=${config.sops.placeholder."backblaze-b2/account-key"} - ''; - }; + }; + + sops.templates = { + "restic/repo-${host}" = { + content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${host}"; + }; + "restic/b2-env-${host}" = { + content = '' + B2_ACCOUNT_ID=${config.sops.placeholder."backblaze-b2/account-id"} + B2_ACCOUNT_KEY=${config.sops.placeholder."backblaze-b2/account-key"} + ''; }; }; diff --git a/modules/hcloud/default.nix b/modules/hcloud/default.nix index e41765a8..7c1c0423 100644 --- a/modules/hcloud/default.nix +++ b/modules/hcloud/default.nix @@ -1,14 +1,13 @@ { lib, config, - myUtils, ... }: let cfg = config.hcloud; inherit (config.host) username; - inherit (config.secrets) sopsDir; + inherit (config.secrets) owner; in { options.hcloud = { @@ -16,12 +15,10 @@ in }; config = lib.mkIf cfg.enable { - sops.secrets = myUtils.mkSopsSecrets sopsDir "hcloud" [ "api-token" ] { - owner = config.users.users.${username}.name; - }; + secrets.groups.hcloud = [ "api-token" ]; sops.templates."hcloud/cli.toml" = { - owner = config.users.users.${username}.name; + inherit owner; path = "/home/${username}/.config/hcloud/cli.toml"; content = '' active_context = "server" diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix index f847c7e2..d5c33570 100644 --- a/modules/secrets/default.nix +++ b/modules/secrets/default.nix @@ -12,7 +12,6 @@ let inherit (config.host) username; inherit (cfg) sopsDir; owner = config.users.users.${username}.name; - mkSopsSecrets = myUtils.mkSopsSecrets sopsDir; in { imports = [ inputs.sops-nix.nixosModules.sops ]; @@ -24,6 +23,15 @@ in default = "${toString inputs.nix-secrets}/secrets"; }; + groups = lib.mkOption { + type = lib.types.attrsOf (lib.types.listOf lib.types.str); + default = { }; + }; + + owner = lib.mkOption { + type = lib.types.unspecified; + }; + nixSigningKey = { enable = lib.mkEnableOption "nix signing key configuration"; }; @@ -35,27 +43,28 @@ in }; config = { + secrets = { + inherit owner; + groups = { + email = [ + "personal" + "work" + ]; + nix = lib.optional cfg.nixSigningKey.enable "signing-key"; + }; + }; + sops = { # for yubikey, generate as follows: # ``` # age-plugin-yubikey --identity > # ``` age.keyFile = "/home/${username}/.config/sops/age/keys.txt"; - - secrets = lib.mkMerge [ - (mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; }) - (lib.mkIf cfg.nixSigningKey.enable { - nix-signing-key = { - sopsFile = "${sopsDir}/nix.yaml"; - key = "signing-key"; - inherit owner; - }; - }) - ]; + secrets = myUtils.mkSopsSecrets sopsDir owner cfg.groups; }; nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [ - config.sops.secrets.nix-signing-key.path + config.sops.secrets."nix/signing-key".path ]; services = { diff --git a/modules/taskwarrior/default.nix b/modules/taskwarrior/default.nix index 2767797b..af178b6b 100644 --- a/modules/taskwarrior/default.nix +++ b/modules/taskwarrior/default.nix @@ -1,19 +1,17 @@ -{ config, myUtils, ... }: +{ config, ... }: let - inherit (config.secrets) sopsDir; - inherit (config.host) username; - owner = config.users.users.${username}.name; + inherit (config.secrets) owner; in { - config.sops = { - secrets = myUtils.mkSopsSecrets sopsDir "taskwarrior" [ + config = { + secrets.groups.taskwarrior = [ "sync-server-url" "sync-server-client-id" "sync-encryption-secret" - ] { inherit owner; }; + ]; - templates."taskrc.d/sync" = { + sops.templates."taskrc.d/sync" = { inherit owner; content = '' sync.server.url=${config.sops.placeholder."taskwarrior/sync-server-url"} diff --git a/utils/secrets.nix b/utils/secrets.nix index c6dcca4c..4487e66e 100644 --- a/utils/secrets.nix +++ b/utils/secrets.nix @@ -2,19 +2,25 @@ { mkSopsSecrets = - sopsDir: group: names: extraOpts: + sopsDir: owner: groups: let - file = "${group}.yaml"; + opts = lib.optionalAttrs (owner != null) { inherit owner; }; + mkGroup = + group: names: + let + file = "${group}.yaml"; + in + lib.foldl' lib.mergeAttrs { } ( + map (name: { + "${group}/${name}" = { + sopsFile = "${sopsDir}/${file}"; + key = name; + } + // opts; + }) names + ); in - lib.foldl' lib.mergeAttrs { } ( - map (name: { - "${group}/${name}" = { - sopsFile = "${sopsDir}/${file}"; - key = name; - } - // extraOpts; - }) names - ); + lib.foldl' lib.mergeAttrs { } (lib.mapAttrsToList mkGroup groups); sopsAvailability = config: osConfig: