hektor/nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor: adopt modular secrets approach

Browse Source
This commit is contained in:
Hektor Misplon
2026-03-13 23:03:59 +01:00
committed by hektor
parent 3f9c9cd154
commit 916e732ce6
14 changed files with 212 additions and 161 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
flake.lock generated
View File

@@ -121,11 +121,11 @@
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1773374581, "lastModified": 1773720169,
"narHash": "sha256-cqbRdYEmO8FNoaUtoc6+GLR4EGU1f24cGJiQUPJJmxI=", "narHash": "sha256-rDYvCjc50uxasQjU07Y8vHudR28LtRQbfrvRqZRyiN4=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "c73146d00a2a01e2ac844ceed9640e0f314a5dda", "rev": "7f4fdba8e1b5177ef1508e2d32843c68c4aebf5c",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@@ -344,11 +344,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1773422513, "lastModified": 1773681856,
"narHash": "sha256-MPjR48roW7CUMU6lu0+qQGqj92Kuh3paIulMWFZy+NQ=", "narHash": "sha256-+bRqxoFCJFO9ZTFhcCkzNXbDT3b8AEk88fyjB7Is6eo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "ef12a9a2b0f77c8fa3dda1e7e494fca668909056", "rev": "57d5560ee92a424fb71fde800acd6ed2c725dfce",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -400,10 +400,10 @@
"nix-secrets": { "nix-secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1773429715, "lastModified": 1773505989,
"narHash": "sha256-fw57QRzSlX23V3qYejECwrYkxSca7TY4WRCY4OF79t4=", "narHash": "sha256-zmKDguP5ReYfb2LK3gICP0xVZXnkV7Zt+iq6dFGqLPo=",
"ref": "main", "ref": "main",
"rev": "58f5109e5195b3015e01356574f67abd719f3039", "rev": "e7472aa92a8bce003fccb310191c45948165a8c3",
"shallow": true, "shallow": true,
"type": "git", "type": "git",
"url": "ssh://git@github.com/hektor/nix-secrets" "url": "ssh://git@github.com/hektor/nix-secrets"
@@ -453,11 +453,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1772972630, "lastModified": 1773533765,
"narHash": "sha256-mUJxsNOrBMNOUJzN0pfdVJ1r2pxeqm9gI/yIKXzVVbk=", "narHash": "sha256-qonGfS2lzCgCl59Zl63jF6dIRRpvW3AJooBGMaXjHiY=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "3966ce987e1a9a164205ac8259a5fe8a64528f72", "rev": "f8e82243fd601afb9f59ad230958bd073795cbfe",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -469,11 +469,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1773282481, "lastModified": 1773646010,
"narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", "narHash": "sha256-iYrs97hS7p5u4lQzuNWzuALGIOdkPXvjz7bviiBjUu8=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "fe416aaedd397cacb33a610b33d60ff2b431b127", "rev": "5b2c2d84341b2afb5647081c1386a80d7a8d8605",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -667,11 +667,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1773096132, "lastModified": 1773698643,
"narHash": "sha256-M3zEnq9OElB7zqc+mjgPlByPm1O5t2fbUrH3t/Hm5Ag=", "narHash": "sha256-VCiDjE8kNs8uCAK73Ezk1r3fFuc4JepvW07YFqaN968=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "d1ff3b1034d5bab5d7d8086a7803c5a5968cd784", "rev": "8237de83e8200d16fe0c4467b02a1c608ff28044",
"type": "github" "type": "github"
}, },
"original": { "original": {

32
flake.nix
View File

@@ -60,8 +60,8 @@
let let
inherit (self) outputs; inherit (self) outputs;
inherit (inputs.nixpkgs) lib; inherit (inputs.nixpkgs) lib;
utils = import ./utils { inherit lib; }; myUtils = import ./utils { inherit lib; };
hostDirNames = utils.dirNames ./hosts; hostDirNames = myUtils.dirNames ./hosts;
system = "x86_64-linux"; system = "x86_64-linux";
dotsPath = ./dots; dotsPath = ./dots;
gitHooks = import ./git-hooks.nix { gitHooks = import ./git-hooks.nix {
@@ -82,7 +82,12 @@
{ nixpkgs.hostPlatform = import ./hosts/${host}/system.nix; } { nixpkgs.hostPlatform = import ./hosts/${host}/system.nix; }
]; ];
specialArgs = { specialArgs = {
inherit inputs outputs dotsPath; inherit
inputs
outputs
dotsPath
myUtils
;
}; };
} }
)) ))
@@ -97,7 +102,12 @@
} }
]; ];
specialArgs = { specialArgs = {
inherit inputs outputs dotsPath; inherit
inputs
outputs
dotsPath
myUtils
;
}; };
}; };
sd-image-raspberry-pi-aarch64 = nixpkgs.lib.nixosSystem { sd-image-raspberry-pi-aarch64 = nixpkgs.lib.nixosSystem {
@@ -110,7 +120,12 @@
} }
]; ];
specialArgs = { specialArgs = {
inherit inputs outputs dotsPath; inherit
inputs
outputs
dotsPath
myUtils
;
}; };
}; };
}; };
@@ -123,7 +138,12 @@
}; };
modules = [ ./home/hosts/work ]; modules = [ ./home/hosts/work ];
extraSpecialArgs = { extraSpecialArgs = {
inherit inputs outputs dotsPath; inherit
inputs
outputs
dotsPath
myUtils
;
}; };
}; };
}; };

36
home/hosts/work/default.nix
View File

@@ -41,41 +41,7 @@ in
../../modules/vscode ../../modules/vscode
]; ];
sops = { sops.age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
defaultSopsFile = "${inputs.nix-secrets}/secrets.yaml";
secrets = {
taskwarrior_sync_server_url = { };
taskwarrior_sync_server_client_id = { };
taskwarrior_sync_encryption_secret = { };
anki_sync_user = { };
anki_sync_key = { };
opencode_api_key = { };
};
templates = {
"taskrc.d/sync" = {
content = ''
sync.server.url=${config.sops.placeholder.taskwarrior_sync_server_url}
sync.server.client_id=${config.sops.placeholder.taskwarrior_sync_server_client_id}
sync.encryption_secret=${config.sops.placeholder.taskwarrior_sync_encryption_secret}
'';
};
"opencode/auth.json" = {
path = "${config.home.homeDirectory}/.local/share/opencode/auth.json";
content = ''
{
"zai-coding-plan": {
"type": "api",
"key": "${config.sops.placeholder.opencode_api_key}"
}
}
'';
};
};
};
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;

15
home/modules/anki/default.nix
View File

@@ -2,20 +2,17 @@
config, config,
lib, lib,
pkgs, pkgs,
myUtils,
osConfig ? null, osConfig ? null,
... ...
}: }:
let let
hmSopsAvailable = config ? sops && config.sops ? secrets; sops = myUtils.sopsAvailability config osConfig;
osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? secrets;
sopsAvailable = hmSopsAvailable || osSopsAvailable;
sopsSecrets = if hmSopsAvailable then config.sops.secrets else osConfig.sops.secrets;
in in
{ {
warnings = lib.optional ( warnings = lib.optional (
!sopsAvailable && config.programs.anki.enable !sops.available && config.programs.anki.enable
) "anki is enabled but sops secrets are not available. anki sync will not be configured."; ) "anki is enabled but sops secrets are not available. anki sync will not be configured.";
programs.anki = { programs.anki = {
@@ -26,9 +23,9 @@ in
puppy-reinforcement puppy-reinforcement
review-heatmap review-heatmap
]; ];
profiles."User 1".sync = lib.mkIf sopsAvailable { profiles."User 1".sync = lib.mkIf sops.available {
usernameFile = "${sopsSecrets."anki_sync_user".path}"; usernameFile = "${sops.secrets."anki-sync-user".path}";
keyFile = "${sopsSecrets."anki_sync_key".path}"; keyFile = "${sops.secrets."anki-sync-key".path}";
}; };
}; };
} }

5
home/modules/cloud/hetzner.nix
View File

@@ -14,8 +14,7 @@ in
warnings = warnings =
lib.optional (!isNixOS) lib.optional (!isNixOS)
"hcloud module requires NixOS host configuration. This module will not work with standalone home-manager."; "hcloud module requires NixOS host configuration. This module will not work with standalone home-manager.";
home = {
packages = with pkgs; [ hcloud ]; home.packages = with pkgs; [ hcloud ];
};
}; };
} }

15
home/modules/taskwarrior/default.nix
View File

@@ -3,20 +3,17 @@
lib, lib,
pkgs, pkgs,
dotsPath, dotsPath,
myUtils,
osConfig ? null, osConfig ? null,
... ...
}: }:
let let
hmSopsAvailable = config ? sops && config.sops ? templates; sops = myUtils.sopsAvailability config osConfig;
osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? templates;
sopsAvailable = hmSopsAvailable || osSopsAvailable;
sopsTemplates = if hmSopsAvailable then config.sops.templates else osConfig.sops.templates;
in in
{ {
warnings = warnings =
lib.optional (!sopsAvailable && config.programs.taskwarrior.enable) lib.optional (!sops.available && config.programs.taskwarrior.enable)
"taskwarrior is enabled, but sops templates are not available. taskwarrior sync will not be configured."; "taskwarrior is enabled, but sops templates are not available. taskwarrior sync will not be configured.";
home.packages = with pkgs; [ home.packages = with pkgs; [
@@ -27,7 +24,7 @@ in
home.file = { home.file = {
".config/task/taskrc" = { ".config/task/taskrc" = {
force = true; # overwrite when present force = true;
source = dotsPath + "/.config/task/taskrc"; source = dotsPath + "/.config/task/taskrc";
}; };
".config/task/taskrc.d/aliases".source = dotsPath + "/.config/task/taskrc.d/aliases"; ".config/task/taskrc.d/aliases".source = dotsPath + "/.config/task/taskrc.d/aliases";
@@ -60,8 +57,8 @@ in
config = { config = {
recurrence = "off"; recurrence = "off";
}; };
extraConfig = lib.optionalString sopsAvailable '' extraConfig = lib.optionalString sops.available ''
include ${sopsTemplates."taskrc.d/sync".path} include ${sops.templates."taskrc.d/sync".path}
''; '';
}; };
} }

13
hosts/andromache/default.nix
View File

@@ -17,7 +17,6 @@ in
inputs.nixos-hardware.nixosModules.common-cpu-intel inputs.nixos-hardware.nixosModules.common-cpu-intel
inputs.nixos-hardware.nixosModules.common-pc inputs.nixos-hardware.nixosModules.common-pc
inputs.nixos-hardware.nixosModules.common-pc-ssd inputs.nixos-hardware.nixosModules.common-pc-ssd
inputs.sops-nix.nixosModules.sops
../../modules/common ../../modules/common
../../modules/boot/bootloader.nix ../../modules/boot/bootloader.nix
(import ../../modules/disko/zfs-encrypted-root.nix { (import ../../modules/disko/zfs-encrypted-root.nix {
@@ -44,6 +43,7 @@ in
../../modules/users ../../modules/users
../../modules/wol ../../modules/wol
../../modules/yubikey ../../modules/yubikey
../../modules/hcloud
]; ];
home-manager.users.${config.host.username} = import ../../home/hosts/andromache { home-manager.users.${config.host.username} = import ../../home/hosts/andromache {
@@ -58,10 +58,15 @@ in
ssh.username = config.host.username; ssh.username = config.host.username;
ssh.authorizedHosts = [ "astyanax" ]; ssh.authorizedHosts = [ "astyanax" ];
secrets.username = config.host.username; secrets = {
inherit (config.host) username;
nixSigningKey.enable = true;
};
docker.user = config.host.username; docker.user = config.host.username;
hcloud = {
nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_andromache.path ]; enable = true;
inherit (config.host) username;
};
disko.devices = { disko.devices = {
disk.data = { disk.data = {

8
hosts/astyanax/default.nix
View File

@@ -16,7 +16,6 @@ in
inputs.nixos-hardware.nixosModules.common-pc inputs.nixos-hardware.nixosModules.common-pc
inputs.nixos-hardware.nixosModules.common-pc-ssd inputs.nixos-hardware.nixosModules.common-pc-ssd
# inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-intel-gen7 (not available yet?) # inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-intel-gen7 (not available yet?)
inputs.sops-nix.nixosModules.sops
../../modules/common ../../modules/common
../../modules/boot/bootloader.nix ../../modules/boot/bootloader.nix
(import ../../modules/disko/zfs-encrypted-root.nix { (import ../../modules/disko/zfs-encrypted-root.nix {
@@ -53,14 +52,15 @@ in
ssh.username = config.host.username; ssh.username = config.host.username;
ssh.authorizedHosts = [ "andromache" ]; ssh.authorizedHosts = [ "andromache" ];
secrets.username = config.host.username; secrets = {
inherit (config.host) username;
nixSigningKey.enable = true;
};
docker.user = config.host.username; docker.user = config.host.username;
nfc.user = config.host.username; nfc.user = config.host.username;
desktop.ly.enable = true; desktop.ly.enable = true;
audio.automation.enable = true; audio.automation.enable = true;
nix.settings.secret-key-files = [ config.sops.secrets.nix_signing_key_astyanax.path ];
hardware = { hardware = {
cpu.intel.updateMicrocode = true; cpu.intel.updateMicrocode = true;
# https://wiki.nixos.org/wiki/Intel_Graphics # https://wiki.nixos.org/wiki/Intel_Graphics

1
hosts/vm/default.nix
View File

@@ -10,7 +10,6 @@
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
./hard.nix ./hard.nix
./host.nix ./host.nix
inputs.sops-nix.nixosModules.sops
./disk.nix ./disk.nix
../../modules/common ../../modules/common
../../modules/boot/bootloader.nix ../../modules/boot/bootloader.nix

38
modules/backups/default.nix
View File

@@ -6,18 +6,19 @@
let let
cfg = config.restic-backup; cfg = config.restic-backup;
inherit (config.secrets) sopsDir;
in in
{ {
options = { options = {
restic-backup = { restic-backup = {
repository = lib.mkOption { repository = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}"; default = "b2:${config.sops.placeholder.b2-bucket-name}:${config.networking.hostName}";
}; };
passwordFile = lib.mkOption { passwordFile = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = config.sops.secrets."restic_password".path; default = config.sops.secrets.restic-password.path;
}; };
paths = lib.mkOption { paths = lib.mkOption {
@@ -29,17 +30,30 @@ in
config = { config = {
sops = { sops = {
secrets.b2_bucket_name = { }; secrets = {
restic-password = {
templates."restic/repo-${config.networking.hostName}" = { sopsFile = "${sopsDir}/restic-password";
content = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}"; };
b2-bucket-name = {
sopsFile = "${sopsDir}/b2-bucket-name";
};
b2-account-id = {
sopsFile = "${sopsDir}/b2-account-id";
};
b2-account-key = {
sopsFile = "${sopsDir}/b2-account-key";
};
}; };
templates = {
templates."restic/b2-env-${config.networking.hostName}" = { "restic/repo-${config.networking.hostName}" = {
content = '' content = "b2:${config.sops.placeholder.b2-bucket-name}:${config.networking.hostName}";
B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"} };
B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"} "restic/b2-env-${config.networking.hostName}" = {
''; content = ''
B2_ACCOUNT_ID=${config.sops.placeholder.b2-account-id}
B2_ACCOUNT_KEY=${config.sops.placeholder.b2-account-key}
'';
};
}; };
}; };

8
modules/common/default.nix
View File

@@ -2,6 +2,7 @@
inputs, inputs,
outputs, outputs,
dotsPath, dotsPath,
myUtils,
config, config,
... ...
}: }:
@@ -61,7 +62,12 @@ in
useGlobalPkgs = true; useGlobalPkgs = true;
useUserPackages = true; useUserPackages = true;
extraSpecialArgs = { extraSpecialArgs = {
inherit inputs outputs dotsPath; inherit
inputs
outputs
dotsPath
myUtils
;
}; };
}; };
}; };

38
modules/hcloud/default.nix Normal file
View File

@@ -0,0 +1,38 @@
{
lib,
config,
...
}:
let
cfg = config.hcloud;
inherit (config.secrets) sopsDir;
in
{
options.hcloud = {
enable = lib.mkEnableOption "hcloud CLI configuration";
username = lib.mkOption {
type = lib.types.str;
description = "Username for hcloud CLI configuration";
};
};
config = lib.mkIf cfg.enable {
sops.secrets.hcloud-token = {
sopsFile = "${sopsDir}/hcloud-token";
owner = config.users.users.${cfg.username}.name;
};
sops.templates."hcloud/cli.toml" = {
owner = config.users.users.${cfg.username}.name;
path = "/home/${cfg.username}/.config/hcloud/cli.toml";
content = ''
active_context = "server"
[[contexts]]
name = "server"
token = "${config.sops.placeholder.hcloud-token}"
'';
};
};
}

116
modules/secrets/default.nix
View File

@@ -7,102 +7,100 @@
let let
cfg = config.secrets; cfg = config.secrets;
in inherit (cfg) sopsDir;
{ owner = config.users.users.${cfg.username}.name;
options = {
secrets.username = lib.mkOption { mkSecret = name: {
type = lib.types.str; ${name} = {
sopsFile = "${sopsDir}/${name}";
inherit owner;
}; };
}; };
in
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options = {
secrets = {
username = lib.mkOption {
type = lib.types.str;
};
sopsDir = lib.mkOption {
type = lib.types.str;
default = "${toString inputs.nix-secrets}/secrets";
};
nixSigningKey = {
enable = lib.mkEnableOption "nix signing key configuration";
name = lib.mkOption {
type = lib.types.str;
default = "${config.host.name}-nix-signing-key";
};
};
};
};
config = { config = {
sops = { sops = {
defaultSopsFile = "${builtins.toString inputs.nix-secrets}/secrets.yaml";
defaultSopsFormat = "yaml";
age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt"; age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt";
secrets = { secrets = lib.mkMerge [
"taskwarrior_sync_server_url".owner = config.users.users.${cfg.username}.name; (mkSecret "taskwarrior-sync-server-url")
"taskwarrior_sync_server_client_id".owner = config.users.users.${cfg.username}.name; (mkSecret "taskwarrior-sync-server-client-id")
"taskwarrior_sync_encryption_secret".owner = config.users.users.${cfg.username}.name; (mkSecret "taskwarrior-sync-encryption-secret")
"email_personal".owner = config.users.users.${cfg.username}.name; (mkSecret "anki-sync-user")
"email_work".owner = config.users.users.${cfg.username}.name; (mkSecret "anki-sync-key")
"anki_sync_user".owner = config.users.users.${cfg.username}.name; (mkSecret "email-personal")
"anki_sync_key".owner = config.users.users.${cfg.username}.name; (mkSecret "email-work")
"hcloud".owner = config.users.users.${cfg.username}.name; (mkSecret "opencode-api-key")
"nix_signing_key_astyanax" = { }; (lib.mkIf cfg.nixSigningKey.enable (mkSecret cfg.nixSigningKey.name))
"nix_signing_key_andromache" = { }; ];
"opencode_api_key".owner = config.users.users.${cfg.username}.name;
# TODO: using shared secrets for now, but would be better to to per-host secrets
# To add per-host secrets:
# "restic_password_${config.networking.hostName}" = { };
# "restic_b2_account_id_${config.networking.hostName}" = { };
# "restic_b2_account_key_${config.networking.hostName}" = { };
"restic_password" = { };
"b2_bucket_name" = { };
"b2_account_id" = { };
"b2_account_key" = { };
};
templates = { templates = {
"taskrc.d/sync" = { "taskrc.d/sync" = {
owner = config.users.users.${cfg.username}.name; inherit owner;
content = '' content = ''
sync.server.url=${config.sops.placeholder."taskwarrior_sync_server_url"} sync.server.url=${config.sops.placeholder.taskwarrior-sync-server-url}
sync.server.client_id=${config.sops.placeholder."taskwarrior_sync_server_client_id"} sync.server.client_id=${config.sops.placeholder.taskwarrior-sync-server-client-id}
sync.encryption_secret=${config.sops.placeholder."taskwarrior_sync_encryption_secret"} sync.encryption_secret=${config.sops.placeholder.taskwarrior-sync-encryption-secret}
''; '';
}; };
".gitconfig.email" = { ".gitconfig.email" = {
owner = config.users.users.${cfg.username}.name; inherit owner;
path = "/home/${cfg.username}/.gitconfig.email"; path = "/home/${cfg.username}/.gitconfig.email";
content = '' content = ''
[user] [user]
email = ${config.sops.placeholder."email_personal"} email = ${config.sops.placeholder.email-personal}
''; '';
}; };
".gitconfig.work.email" = { ".gitconfig.work.email" = {
owner = config.users.users.${cfg.username}.name; inherit owner;
path = "/home/${cfg.username}/.gitconfig.work.email"; path = "/home/${cfg.username}/.gitconfig.work.email";
content = '' content = ''
[user] [user]
email = ${config.sops.placeholder."email_work"} email = ${config.sops.placeholder.email-work}
'';
};
"hcloud/cli.toml" = {
owner = config.users.users.${cfg.username}.name;
path = "/home/${cfg.username}/.config/hcloud/cli.toml";
content = ''
active_context = "server"
[[contexts]]
name = "server"
token = "${config.sops.placeholder."hcloud"}"
''; '';
}; };
"opencode/auth.json" = { "opencode/auth.json" = {
owner = config.users.users.${cfg.username}.name; inherit owner;
path = "/home/${cfg.username}/.local/share/opencode/auth.json"; path = "/home/${cfg.username}/.local/share/opencode/auth.json";
content = '' content = ''
{ {
"zai-coding-plan": { "zai-coding-plan": {
"type": "api", "type": "api",
"key": "${config.sops.placeholder."opencode_api_key"}" "key": "${config.sops.placeholder.opencode-api-key}"
} }
} }
''; '';
}; };
"restic/b2-env" = {
content = ''
B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"}
B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"}
'';
};
}; };
}; };
nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [
config.sops.secrets.${cfg.nixSigningKey.name}.path
];
}; };
} }

12
utils/default.nix
View File

@@ -10,4 +10,16 @@
import (hostDir + "/meta.nix") import (hostDir + "/meta.nix")
else else
throw "meta.nix required in ${hostDir}"; throw "meta.nix required in ${hostDir}";
sopsAvailability =
config: osConfig:
let
hmSopsAvailable = config ? sops && config.sops ? secrets;
osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? secrets;
in
{
available = hmSopsAvailable || osSopsAvailable;
secrets = if hmSopsAvailable then config.sops.secrets else osConfig.sops.secrets;
templates = if hmSopsAvailable then config.sops.templates else osConfig.sops.templates;
};
} }