hektor/nix
1
0
Fork 0
Code Pull Requests Actions Activity

fix(secrets): default to non-user secrets

Browse Source
This commit is contained in:
Hektor Misplon
2026-06-15 21:11:51 +02:00
parent adcdb486a3
commit fc38f49fbf
10 changed files with 54 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
home/modules/anki/default.nix
View File

@@ -18,7 +18,7 @@ in
config = lib.mkIf cfg.enable (
lib.optionalAttrs standalone {
sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" {
anki = [
"sync-user"
"sync-key"

2
home/modules/taskwarrior/default.nix
View File

@@ -20,7 +20,7 @@ in
config = lib.mkIf cfg.enable (
lib.optionalAttrs standalone {
sops = {
secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" {
taskwarrior = [
"sync-server-url"
"sync-server-client-id"

2
modules/ai-tools/default.nix
View File

@@ -10,7 +10,7 @@ in
config = lib.mkIf cfg.enable {
nixpkgs.allowedUnfree = [ "claude-code" ];
secrets.groups.opencode = [ "api-key" ];
secrets.opencode = [ "api-key" ];
sops.templates."opencode/auth.json" = {
inherit owner;

2
modules/anki/default.nix
View File

@@ -7,7 +7,7 @@ in
options.anki.enable = lib.mkEnableOption "anki";
config = lib.mkIf cfg.enable {
secrets.groups.anki = [
secrets.user.anki = [
"sync-user"
"sync-key"
];

2
modules/backups/default.nix
View File

@@ -24,7 +24,7 @@ in
};
config = lib.mkIf cfg.enable {
secrets.groups = {
secrets = {
restic = [ "password" ];
backblaze-b2 = [
"bucket-name"

5
modules/common/host.nix
View File

@@ -10,6 +10,11 @@
type = lib.types.str;
};
tags = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
timezone = lib.mkOption {
type = lib.types.str;
default = "Europe/Brussels";

2
modules/hcloud/default.nix
View File

@@ -15,7 +15,7 @@ in
};
config = lib.mkIf cfg.enable {
secrets.groups.hcloud = [ "api-token" ];
secrets.hcloud = [ "api-token" ];
sops.templates."hcloud/cli.toml" = {
inherit owner;

32
modules/secrets/default.nix
View File

@@ -12,12 +12,25 @@ let
inherit (config.host) username;
inherit (cfg) sopsDir;
owner = config.users.users.${username}.name;
system = {
email = [
"personal"
"work"
];
nix = lib.optional cfg.nixSigningKey.enable "signing-key";
}
// lib.filterAttrs (_: lib.isList) cfg;
in
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.secrets = lib.mkOption {
default = { };
type = lib.types.submodule {
freeformType = lib.types.attrsOf (lib.types.listOf lib.types.str);
options = {
secrets = {
enable = lib.mkEnableOption "secrets management";
sopsDir = lib.mkOption {
@@ -25,13 +38,14 @@ in
default = "${toString inputs.nix-secrets}/secrets";
};
groups = lib.mkOption {
user = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.str);
default = { };
};
owner = lib.mkOption {
type = lib.types.unspecified;
default = owner;
};
nixSigningKey = {
@@ -43,21 +57,11 @@ in
};
};
};
};
config = lib.mkIf cfg.enable {
secrets = {
inherit owner;
groups = {
email = [
"personal"
"work"
];
nix = lib.optional cfg.nixSigningKey.enable "signing-key";
};
};
sops = {
secrets = myUtils.mkSopsSecrets sopsDir owner cfg.groups;
secrets = myUtils.mkSopsSecrets sopsDir system // myUtils.mkSopsUserSecrets sopsDir owner cfg.user;
};
nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [

2
modules/taskwarrior/default.nix
View File

@@ -8,7 +8,7 @@ in
options.taskwarrior.enable = lib.mkEnableOption "taskwarrior";
config = lib.mkIf cfg.enable {
secrets.groups.taskwarrior = [
secrets.taskwarrior = [
"sync-server-url"
"sync-server-client-id"
"sync-encryption-secret"

9
utils/secrets.nix
View File

@@ -1,7 +1,7 @@
{ lib }:
{
mkSopsSecrets =
let
mkSecrets =
sopsDir: owner: groups:
let
opts = lib.optionalAttrs (owner != null) { inherit owner; };
@@ -21,6 +21,11 @@
);
in
lib.foldl' lib.mergeAttrs { } (lib.mapAttrsToList mkGroup groups);
in
{
mkSopsSecrets = sopsDir: mkSecrets sopsDir null;
mkSopsUserSecrets = mkSecrets;
sopsAvailability =
config: osConfig: