hektor/nix
1
0
Fork 0
Code Pull Requests Actions Activity

fix(secrets): default to non-user secrets

Browse Source
This commit is contained in:
Hektor Misplon
2026-06-15 21:11:51 +02:00
parent adcdb486a3
commit fc38f49fbf
10 changed files with 54 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
home/modules/anki/default.nix
View File

@@ -18,7 +18,7 @@ in
config = lib.mkIf cfg.enable ( config = lib.mkIf cfg.enable (
lib.optionalAttrs standalone { lib.optionalAttrs standalone {
sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null { sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" {
anki = [ anki = [
"sync-user" "sync-user"
"sync-key" "sync-key"

2
home/modules/taskwarrior/default.nix
View File

@@ -20,7 +20,7 @@ in
config = lib.mkIf cfg.enable ( config = lib.mkIf cfg.enable (
lib.optionalAttrs standalone { lib.optionalAttrs standalone {
sops = { sops = {
secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null { secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" {
taskwarrior = [ taskwarrior = [
"sync-server-url" "sync-server-url"
"sync-server-client-id" "sync-server-client-id"

2
modules/ai-tools/default.nix
View File

@@ -10,7 +10,7 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
nixpkgs.allowedUnfree = [ "claude-code" ]; nixpkgs.allowedUnfree = [ "claude-code" ];
secrets.groups.opencode = [ "api-key" ]; secrets.opencode = [ "api-key" ];
sops.templates."opencode/auth.json" = { sops.templates."opencode/auth.json" = {
inherit owner; inherit owner;

2
modules/anki/default.nix
View File

@@ -7,7 +7,7 @@ in
options.anki.enable = lib.mkEnableOption "anki"; options.anki.enable = lib.mkEnableOption "anki";
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
secrets.groups.anki = [ secrets.user.anki = [
"sync-user" "sync-user"
"sync-key" "sync-key"
]; ];

2
modules/backups/default.nix
View File

@@ -24,7 +24,7 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
secrets.groups = { secrets = {
restic = [ "password" ]; restic = [ "password" ];
backblaze-b2 = [ backblaze-b2 = [
"bucket-name" "bucket-name"

5
modules/common/host.nix
View File

@@ -10,6 +10,11 @@
type = lib.types.str; type = lib.types.str;
}; };
tags = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
timezone = lib.mkOption { timezone = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "Europe/Brussels"; default = "Europe/Brussels";

2
modules/hcloud/default.nix
View File

@@ -15,7 +15,7 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
secrets.groups.hcloud = [ "api-token" ]; secrets.hcloud = [ "api-token" ];
sops.templates."hcloud/cli.toml" = { sops.templates."hcloud/cli.toml" = {
inherit owner; inherit owner;

32
modules/secrets/default.nix
View File

@@ -12,12 +12,25 @@ let
inherit (config.host) username; inherit (config.host) username;
inherit (cfg) sopsDir; inherit (cfg) sopsDir;
owner = config.users.users.${username}.name; owner = config.users.users.${username}.name;
system = {
email = [
"personal"
"work"
];
nix = lib.optional cfg.nixSigningKey.enable "signing-key";
}
// lib.filterAttrs (_: lib.isList) cfg;
in in
{ {
imports = [ inputs.sops-nix.nixosModules.sops ]; imports = [ inputs.sops-nix.nixosModules.sops ];
options.secrets = lib.mkOption {
default = { };
type = lib.types.submodule {
freeformType = lib.types.attrsOf (lib.types.listOf lib.types.str);
options = { options = {
secrets = {
enable = lib.mkEnableOption "secrets management"; enable = lib.mkEnableOption "secrets management";
sopsDir = lib.mkOption { sopsDir = lib.mkOption {
@@ -25,13 +38,14 @@ in
default = "${toString inputs.nix-secrets}/secrets"; default = "${toString inputs.nix-secrets}/secrets";
}; };
groups = lib.mkOption { user = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.str); type = lib.types.attrsOf (lib.types.listOf lib.types.str);
default = { }; default = { };
}; };
owner = lib.mkOption { owner = lib.mkOption {
type = lib.types.unspecified; type = lib.types.unspecified;
default = owner;
}; };
nixSigningKey = { nixSigningKey = {
@@ -43,21 +57,11 @@ in
}; };
}; };
}; };
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
secrets = {
inherit owner;
groups = {
email = [
"personal"
"work"
];
nix = lib.optional cfg.nixSigningKey.enable "signing-key";
};
};
sops = { sops = {
secrets = myUtils.mkSopsSecrets sopsDir owner cfg.groups; secrets = myUtils.mkSopsSecrets sopsDir system // myUtils.mkSopsUserSecrets sopsDir owner cfg.user;
}; };
nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [ nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [

2
modules/taskwarrior/default.nix
View File

@@ -8,7 +8,7 @@ in
options.taskwarrior.enable = lib.mkEnableOption "taskwarrior"; options.taskwarrior.enable = lib.mkEnableOption "taskwarrior";
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
secrets.groups.taskwarrior = [ secrets.taskwarrior = [
"sync-server-url" "sync-server-url"
"sync-server-client-id" "sync-server-client-id"
"sync-encryption-secret" "sync-encryption-secret"

9
utils/secrets.nix
View File

@@ -1,7 +1,7 @@
{ lib }: { lib }:
{ let
mkSopsSecrets = mkSecrets =
sopsDir: owner: groups: sopsDir: owner: groups:
let let
opts = lib.optionalAttrs (owner != null) { inherit owner; }; opts = lib.optionalAttrs (owner != null) { inherit owner; };
@@ -21,6 +21,11 @@
); );
in in
lib.foldl' lib.mergeAttrs { } (lib.mapAttrsToList mkGroup groups); lib.foldl' lib.mergeAttrs { } (lib.mapAttrsToList mkGroup groups);
in
{
mkSopsSecrets = sopsDir: mkSecrets sopsDir null;
mkSopsUserSecrets = mkSecrets;
sopsAvailability = sopsAvailability =
config: osConfig: config: osConfig: