modules: secrets: add 'owner' logic

machines/porthos/default.nix

@@ -6,7 +6,6 @@
     ./boot.nix
     ./hardware.nix
     ./networking.nix
-    ./secrets.nix
     ./services.nix
     ./users.nix
   ];

machines/porthos/secrets.nix

@@ -1,8 +0,0 @@
-# Secrets configuration
-{ ... }:
-{
-  config.age.secrets = {
-    # Must be readable by the service
-    "nextcloud/password".owner = "nextcloud";
-  };
-}

modules/secrets/default.nix

@@ -1,4 +1,4 @@
-{ inputs, lib, options, ... }:
+{ config, inputs, lib, options, ... }:
 
 {
   imports = [
@@ -9,9 +9,12 @@
     secrets =
       let
         toName = lib.removeSuffix ".age";
-        toSecret = name: _: {
+        userExists = u: builtins.hasAttr u config.users.users;
+        # Only set the user if it exists, to avoid warnings
+        userIfExists = u: if userExists u then u else "root";
+        toSecret = name: { owner ? "root", ... }: {
           file = ./. + "/${name}";
-          owner = lib.mkDefault "root";
+          owner = lib.mkDefault (userIfExists owner);
         };
         convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
         secrets = import ./secrets.nix;

modules/secrets/secrets.nix

@@ -27,7 +27,11 @@ in
 
   "monitoring/password.age".publicKeys = all;
 
-  "nextcloud/password.age".publicKeys = all;
+  "nextcloud/password.age" = {
+    # Must be readable by the service
+    owner = "nextcloud";
+    publicKeys = all;
+  };
 
   "paperless/password.age".publicKeys = all;
   "paperless/secret-key.age".publicKeys = all;