2022-04-18 15:34:08 +01:00
|
|
|
{ lib, pkgs, config, secretsPath, ... }:
|
2022-02-22 00:59:57 +00:00
|
|
|
let
|
|
|
|
inherit (builtins) mapAttrs;
|
2022-02-22 01:30:27 +00:00
|
|
|
inherit (lib) mkMerge mkIf;
|
2022-02-22 00:59:57 +00:00
|
|
|
inherit (lib.my) mkOpt';
|
|
|
|
|
|
|
|
cfg = config.my.secrets;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options.my.secrets = with lib.types; {
|
2022-03-26 14:20:30 +00:00
|
|
|
vmKeyPath = mkOpt' str "/tmp/xchg/dev.key" "Path to dev key when in a dev VM.";
|
2022-02-22 00:59:57 +00:00
|
|
|
key = mkOpt' (nullOr str) null "Public key that secrets for this system should be encrypted for.";
|
|
|
|
files = mkOpt' (attrsOf unspecified) { } "Secrets to decrypt with agenix.";
|
|
|
|
};
|
|
|
|
|
2022-02-22 01:30:27 +00:00
|
|
|
config = mkMerge [
|
|
|
|
{
|
2022-04-18 15:34:08 +01:00
|
|
|
age = {
|
|
|
|
secrets = mapAttrs (f: opts: {
|
|
|
|
file = "${secretsPath}/${f}.age";
|
|
|
|
} // opts) cfg.files;
|
|
|
|
# agenix sets this as a default but adding any custom extras will _replace_ the list (different priority)
|
|
|
|
identityPaths =
|
|
|
|
mkIf config.services.openssh.enable
|
|
|
|
(map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys));
|
|
|
|
};
|
2022-02-22 01:30:27 +00:00
|
|
|
}
|
2022-04-18 15:34:08 +01:00
|
|
|
(mkIf (config.age.secrets != { }) {
|
|
|
|
system.activationScripts.agenixMountSecrets.deps = mkIf (config.my.tmproot.persistence.dir != null) [
|
|
|
|
# The key used to decrypt is not going to exist!
|
|
|
|
"persist-files"
|
|
|
|
];
|
|
|
|
})
|
2022-02-22 01:30:27 +00:00
|
|
|
(mkIf config.my.build.isDevVM {
|
2022-03-26 14:20:30 +00:00
|
|
|
age.identityPaths = [ cfg.vmKeyPath ];
|
2022-02-22 01:30:27 +00:00
|
|
|
})
|
|
|
|
];
|
2022-02-22 00:59:57 +00:00
|
|
|
}
|