diff --git a/flake.nix b/flake.nix index 7698413b..a75f0bd4 100644 --- a/flake.nix +++ b/flake.nix @@ -130,6 +130,7 @@ }; impermanence.enable = true; networking.hostname = "pc"; + sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; }; hardware = { @@ -162,7 +163,6 @@ { snapper = { enable = true; configs.persistent = "/nix/persistent"; }; fontconfig.enable = true; - sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; samba = { enable = true; @@ -258,12 +258,12 @@ kernel.patches = [ "preempt" ]; impermanence.enable = true; networking.hostname = "vps6"; + sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; }; packages.packageSet = "server"; services = { snapper = { enable = true; configs.persistent = "/nix/persistent"; }; - sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; sshd.enable = true; xrayServer = { enable = true; serverName = "vps6.xserver.chn.moe"; }; frpServer = { enable = true; serverName = "frp.chn.moe"; }; @@ -325,12 +325,12 @@ kernel.patches = [ "preempt" ]; impermanence.enable = true; networking.hostname = "vps4"; + sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; }; packages.packageSet = "server"; services = { snapper = { enable = true; configs.persistent = "/nix/persistent"; }; - sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; sshd.enable = true; }; };}) @@ -371,6 +371,7 @@ kernel.patches = [ "preempt" ]; impermanence = { enable = true; nodatacow = "/nix/nodatacow"; }; networking.hostname = "vps7"; + sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; }; packages = { @@ -379,7 +380,6 @@ services = { snapper = { enable = true; configs.persistent = "/nix/persistent"; }; - sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; sshd.enable = true; rsshub.enable = true; nginx = { enable = true; transparentProxy.externalIp = "95.111.228.40"; }; @@ -425,12 +425,12 @@ kernel.patches = [ "preempt" ]; impermanence.enable = true; networking.hostname = "nas"; + sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; }; packages.packageSet = "server"; services = { snapper = { enable = true; configs.persistent = "/nix/persistent"; }; - sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; sshd.enable = true; }; };}) @@ -488,6 +488,7 @@ }; impermanence.enable = true; networking.hostname = "xmupc1"; + sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; }; hardware = { @@ -510,7 +511,6 @@ { snapper = { enable = true; configs.persistent = "/nix/persistent"; }; fontconfig.enable = true; - sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; samba = { enable = true; @@ -587,6 +587,7 @@ kernel.patches = [ "cjktty" "preempt" ]; impermanence.enable = true; networking.hostname = "yoga"; + sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; }; hardware = { @@ -603,7 +604,6 @@ { snapper = { enable = true; configs.persistent = "/nix/persistent"; }; fontconfig.enable = true; - sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; sshd.enable = true; xrayClient = { @@ -644,6 +644,7 @@ kernel.patches = [ "cjktty" "preempt" ]; impermanence.enable = true; networking.hostname = "pe"; + sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; }; hardware = { @@ -660,7 +661,6 @@ { snapper = { enable = true; configs.persistent = "/nix/persistent"; }; fontconfig.enable = true; - sops = { enable = true; keyPathPrefix = "/nix/persistent"; }; sshd.enable = true; xrayClient = { diff --git a/modules/services/default.nix b/modules/services/default.nix index 19da529a..2b6fe605 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -24,11 +24,6 @@ inputs: }; kmscon.enable = mkOption { type = types.bool; default = false; }; fontconfig.enable = mkOption { type = types.bool; default = false; }; - sops = - { - enable = mkOption { type = types.bool; default = false; }; - keyPathPrefix = mkOption { type = types.str; default = ""; }; - }; samba = { enable = mkOption { type = types.bool; default = false; }; @@ -154,18 +149,6 @@ inputs: }; } ) - ( - mkIf services.sops.enable - { - sops = - { - defaultSopsFile = ../../secrets/${inputs.config.networking.hostName}.yaml; - # sops start before impermanence, so we need to use the absolute path - age.sshKeyPaths = [ "${services.sops.keyPathPrefix}/etc/ssh/ssh_host_ed25519_key" ]; - gnupg.sshKeyPaths = [ "${services.sops.keyPathPrefix}/etc/ssh/ssh_host_rsa_key" ]; - }; - } - ) ( mkIf services.samba.enable { diff --git a/modules/system/default.nix b/modules/system/default.nix index bc0d1417..76705cad 100644 --- a/modules/system/default.nix +++ b/modules/system/default.nix @@ -13,6 +13,7 @@ inputs: ./networking.nix ./systemd.nix ./security.nix + ./sops.nix ]; config = { diff --git a/modules/system/sops.nix b/modules/system/sops.nix new file mode 100644 index 00000000..319d79e7 --- /dev/null +++ b/modules/system/sops.nix @@ -0,0 +1,22 @@ +inputs: +{ + options.nixos.system.sops = let inherit (inputs.lib) mkOption types; in + { + enable = mkOption { type = types.bool; default = false; }; + keyPathPrefix = mkOption { type = types.str; default = ""; }; + }; + config = + let + inherit (inputs.lib) mkIf; + inherit (inputs.config.nixos.system) sops; + in mkIf sops.enable + { + sops = + { + defaultSopsFile = ../../secrets/${inputs.config.networking.hostName}.yaml; + # sops start before impermanence, so we need to use the absolute path + age.sshKeyPaths = [ "${sops.keyPathPrefix}/etc/ssh/ssh_host_ed25519_key" ]; + gnupg.sshKeyPaths = [ "${sops.keyPathPrefix}/etc/ssh/ssh_host_rsa_key" ]; + }; + }; +}