modularize NixOS secrets config

2025-11-23 21:46:07 +01:00
parent 1a57e8a424
commit cdf5127071
5 changed files with 79 additions and 29 deletions
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -0,0 +1,40 @@
+{
+  lib,
+  inputs,
+  config,
+  ...
+}:
+
+let
+  cfg = config.secrets;
+in
+{
+  options = {
+    secrets.username = lib.mkOption {
+      type = lib.types.str;
+    };
+  };
+  config = {
+    sops = {
+      validateSopsFiles = false;
+      defaultSopsFile = "${builtins.toString inputs.nix-secrets}/secrets.yaml";
+      defaultSopsFormat = "yaml";
+      age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt";
+
+      secrets = {
+        "taskwarrior_sync_server_url".owner = config.users.users.${cfg.username}.name;
+        "taskwarrior_sync_server_client_id".owner = config.users.users.${cfg.username}.name;
+        "taskwarrior_sync_encryption_secret".owner = config.users.users.${cfg.username}.name;
+      };
+
+      templates."taskrc.d/sync" = {
+        owner = config.users.users.${cfg.username}.name;
+        content = ''
+          sync.server.url=${config.sops.placeholder."taskwarrior_sync_server_url"}
+          sync.server.client_id=${config.sops.placeholder."taskwarrior_sync_server_client_id"}
+          sync.encryption_secret=${config.sops.placeholder."taskwarrior_sync_encryption_secret"}
+        '';
+      };
+    };
+  };
+}