modules/secrets.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

{ config, lib, inputs, pkgs, ...}: with lib; let
  cfg = config.santi-modules;
  inherit (builtins) readFile attrValues;
in {
  imports = [
    inputs.agenix.nixosModules.default
    inputs.home-manager.nixosModules.home-manager
  ];
  options.santi-modules = { 
    secrets.enable = mkOption {
      type = types.bool;
      default = true;
      description = "Enables secrets management through agenix";
    };
  };
  config = mkIf config.santi-modules.secrets.enable {
    environment.systemPackages = with pkgs; [
      rage
    ];
    home-manager.users.leonardo.home.file.".ssh/id_ed25519.pub".source = ../secrets/user-ssh-key.pub;
    users.users.leonardo = {
      hashedPasswordFile = config.age.secrets.user-pass.path;
      openssh.authorizedKeys.keys = [
        (readFile ../secrets/user-ssh-key.pub)
      ] ++ attrValues (import ../secrets/host-pub-keys.nix);
    };
    age.secrets = let
      with-perms = name: {
        file = ../secrets/${name}.age;
        owner = "leonardo";
        group = "users";
      };
    in {
      user-pass = with-perms "user-pass";
      user-ssh-key = {
        file = ../secrets/user-ssh-key.age;
        path = "/home/leonardo/.ssh/id_ed25519";
        owner = "leonardo";
        group = "users";
      };
    } // (optionalAttrs cfg.mu.enable (let
      mails = ["work-mail" "personal-mail" "university-mail"];
      mail-cfg = map (n: {name = n; value = with-perms n;}) mails;
    in
      listToAttrs mail-cfg))
    // (optionalAttrs cfg.services.ddns.enable {
      cloudflare = with-perms "cloudflare";
    }) // (optionalAttrs cfg.emacs.enable {
      authinfo = with-perms "authinfo";
    });
  };
}