From cdf512707145f53303b448bdc4887441505e747a Mon Sep 17 00:00:00 2001 From: Hektor Misplon Date: Sun, 23 Nov 2025 21:46:07 +0100 Subject: [PATCH] modularize NixOS secrets config --- home/hosts/work/default.nix | 1 - hosts/andromache/default.nix | 15 ++++++++++++-- hosts/astyanax/default.nix | 38 ++++++++++++---------------------- hosts/vm/default.nix | 14 ++++++++++++- modules/secrets/default.nix | 40 ++++++++++++++++++++++++++++++++++++ 5 files changed, 79 insertions(+), 29 deletions(-) create mode 100644 modules/secrets/default.nix diff --git a/home/hosts/work/default.nix b/home/hosts/work/default.nix index a5715c1..c1be3e0 100644 --- a/home/hosts/work/default.nix +++ b/home/hosts/work/default.nix @@ -10,7 +10,6 @@ let in { imports = [ - inputs.sops-nix.homeManagerModules.sops ../../modules/dconf.nix # TODO: Only enable when on Gnome? ]; diff --git a/hosts/andromache/default.nix b/hosts/andromache/default.nix index 5fcd8bc..552859b 100644 --- a/hosts/andromache/default.nix +++ b/hosts/andromache/default.nix @@ -6,11 +6,15 @@ ... }: +let + username = "h"; +in { system.stateVersion = "25.05"; imports = [ inputs.disko.nixosModules.disko + inputs.sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ./hard.nix ../../modules/bootloader.nix @@ -28,8 +32,15 @@ ../../modules/localization.nix ../../modules/fonts ../../modules/ssh/hardened-openssh.nix + (import ../../modules/secrets { + inherit lib; + inherit inputs; + inherit config; + }) ]; + secrets.username = username; + disko.devices = { disk.data = { type = "disk"; @@ -75,7 +86,7 @@ home-manager = { useGlobalPkgs = true; useUserPackages = true; - users.h = import ../../home/hosts/andromache { + users.${username} = import ../../home/hosts/andromache { inherit inputs; inherit config; inherit pkgs; @@ -99,7 +110,7 @@ enable = true; openDefaultPorts = true; folders = { - "/home/h/sync" = { + "/home/${username}/sync" = { id = "sync"; devices = [ ]; }; diff --git a/hosts/astyanax/default.nix b/hosts/astyanax/default.nix index 95223b4..7bf4dcc 100644 --- a/hosts/astyanax/default.nix +++ b/hosts/astyanax/default.nix @@ -6,6 +6,10 @@ ... }: +let + username = "h"; + hostName = "astynanax"; +in { system.stateVersion = "25.05"; @@ -23,37 +27,21 @@ ../../modules/gnome.nix ../../modules/bluetooth.nix ../../modules/keyboard - (import ../../modules/networking.nix { hostName = "astyanax"; }) + (import ../../modules/networking.nix { hostName = hostName; }) ../../modules/users.nix ../../modules/audio.nix ../../modules/localization.nix ../../modules/fonts ../../modules/ssh/hardened-openssh.nix + (import ../../modules/secrets { + inherit lib; + inherit inputs; + inherit config; + inherit username; + }) ]; - sops = { - validateSopsFiles = false; - defaultSopsFile = "${builtins.toString inputs.nix-secrets}/secrets.yaml"; - defaultSopsFormat = "yaml"; - age.keyFile = "/home/h/.config/sops/age/keys.txt"; - - secrets = { - "test" = { }; - - "taskwarrior_sync_server_url".owner = config.users.users.h.name; - "taskwarrior_sync_server_client_id".owner = config.users.users.h.name; - "taskwarrior_sync_encryption_secret".owner = config.users.users.h.name; - }; - - templates."taskrc.d/sync" = { - owner = config.users.users.h.name; - content = '' - sync.server.url=${config.sops.placeholder."taskwarrior_sync_server_url"} - sync.server.client_id=${config.sops.placeholder."taskwarrior_sync_server_client_id"} - sync.encryption_secret=${config.sops.placeholder."taskwarrior_sync_encryption_secret"} - ''; - }; - }; + secrets.username = username; environment.systemPackages = [ inputs.nvim.packages.x86_64-linux.nvim ]; @@ -67,7 +55,7 @@ home-manager = { useGlobalPkgs = true; useUserPackages = true; - users.h = import ../../home/hosts/astyanax { + users.${username} = import ../../home/hosts/astyanax { inherit inputs; inherit config; inherit pkgs; diff --git a/hosts/vm/default.nix b/hosts/vm/default.nix index 8449eee..3190b41 100644 --- a/hosts/vm/default.nix +++ b/hosts/vm/default.nix @@ -1,16 +1,21 @@ { + lib, inputs, config, pkgs, ... }: +let + username = "h"; +in { system.stateVersion = "25.05"; imports = [ inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-intel inputs.disko.nixosModules.disko + inputs.sops-nix.nixosModules.sops inputs.home-manager.nixosModules.default ./hard.nix ./disk.nix @@ -23,8 +28,15 @@ ../../modules/x.nix ../../modules/fonts ../../modules/ssh/hardened-openssh.nix + (import ../../modules/secrets { + inherit lib; + inherit inputs; + inherit config; + }) ]; + secrets.username = "h"; + environment.systemPackages = [ inputs.nvim.packages.x86_64-linux.nvim ]; nix.settings.experimental-features = [ @@ -55,7 +67,7 @@ home-manager = { useGlobalPkgs = true; useUserPackages = true; - users.h = import ../../home/hosts/vm { + users.${username} = import ../../home/hosts/vm { inherit inputs; inherit config; inherit pkgs; diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix new file mode 100644 index 0000000..1b973ae --- /dev/null +++ b/modules/secrets/default.nix @@ -0,0 +1,40 @@ +{ + lib, + inputs, + config, + ... +}: + +let + cfg = config.secrets; +in +{ + options = { + secrets.username = lib.mkOption { + type = lib.types.str; + }; + }; + config = { + sops = { + validateSopsFiles = false; + defaultSopsFile = "${builtins.toString inputs.nix-secrets}/secrets.yaml"; + defaultSopsFormat = "yaml"; + age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt"; + + secrets = { + "taskwarrior_sync_server_url".owner = config.users.users.${cfg.username}.name; + "taskwarrior_sync_server_client_id".owner = config.users.users.${cfg.username}.name; + "taskwarrior_sync_encryption_secret".owner = config.users.users.${cfg.username}.name; + }; + + templates."taskrc.d/sync" = { + owner = config.users.users.${cfg.username}.name; + content = '' + sync.server.url=${config.sops.placeholder."taskwarrior_sync_server_url"} + sync.server.client_id=${config.sops.placeholder."taskwarrior_sync_server_client_id"} + sync.encryption_secret=${config.sops.placeholder."taskwarrior_sync_encryption_secret"} + ''; + }; + }; + }; +}