2023-09-02 22:11:08 +08:00
|
|
|
inputs:
|
|
|
|
|
{
|
|
|
|
|
options.nixos.system.sops = let inherit (inputs.lib) mkOption types; in
|
|
|
|
|
{
|
2023-11-19 17:29:15 +08:00
|
|
|
enable = mkOption { type = types.bool; default = true; };
|
|
|
|
|
keyPathPrefix = mkOption { type = types.str; default = "/nix/persistent"; };
|
2023-09-02 22:11:08 +08:00
|
|
|
};
|
|
|
|
|
config =
|
|
|
|
|
let
|
|
|
|
|
inherit (inputs.lib) mkIf;
|
|
|
|
|
inherit (inputs.config.nixos.system) sops;
|
|
|
|
|
in mkIf sops.enable
|
|
|
|
|
{
|
|
|
|
|
sops =
|
|
|
|
|
{
|
2023-12-07 16:24:22 +08:00
|
|
|
defaultSopsFile =
|
2024-04-09 20:51:25 +08:00
|
|
|
let deviceDir = "${inputs.topInputs.self}/modules/devices/${inputs.config.nixos.system.networking.hostname}";
|
2024-04-03 13:50:08 +08:00
|
|
|
in mkIf
|
|
|
|
|
(
|
|
|
|
|
builtins.pathExists "${deviceDir}/secrets.yaml"
|
|
|
|
|
|| builtins.pathExists "${deviceDir}/secrets/default.yaml"
|
|
|
|
|
)
|
|
|
|
|
(
|
|
|
|
|
if builtins.pathExists "${deviceDir}/secrets.yaml" then "${deviceDir}/secrets.yaml"
|
|
|
|
|
else "${deviceDir}/secrets/default.yaml"
|
|
|
|
|
);
|
2023-09-02 22:11:08 +08:00
|
|
|
# sops start before impermanence, so we need to use the absolute path
|
|
|
|
|
age.sshKeyPaths = [ "${sops.keyPathPrefix}/etc/ssh/ssh_host_ed25519_key" ];
|
|
|
|
|
gnupg.sshKeyPaths = [ "${sops.keyPathPrefix}/etc/ssh/ssh_host_rsa_key" ];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
