From 30eaefc1d1ff8e1f081f436c3dcc733664f3d4fc Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 26 Sep 2021 19:19:35 +0200
Subject: [PATCH] modules: secrets: add 'owner' logic

---
 machines/porthos/default.nix | 1 -
 machines/porthos/secrets.nix | 8 --------
 modules/secrets/default.nix  | 9 ++++++---
 modules/secrets/secrets.nix  | 6 +++++-
 4 files changed, 11 insertions(+), 13 deletions(-)
 delete mode 100644 machines/porthos/secrets.nix

diff --git a/machines/porthos/default.nix b/machines/porthos/default.nix
index eb9f207..abfc01a 100644
--- a/machines/porthos/default.nix
+++ b/machines/porthos/default.nix
@@ -6,7 +6,6 @@
     ./boot.nix
     ./hardware.nix
     ./networking.nix
-    ./secrets.nix
     ./services.nix
     ./users.nix
   ];
diff --git a/machines/porthos/secrets.nix b/machines/porthos/secrets.nix
deleted file mode 100644
index d89a917..0000000
--- a/machines/porthos/secrets.nix
+++ /dev/null
@@ -1,8 +0,0 @@
-# Secrets configuration
-{ ... }:
-{
-  config.age.secrets = {
-    # Must be readable by the service
-    "nextcloud/password".owner = "nextcloud";
-  };
-}
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index 62ed854..eb17892 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -1,4 +1,4 @@
-{ inputs, lib, options, ... }:
+{ config, inputs, lib, options, ... }:
 
 {
   imports = [
@@ -9,9 +9,12 @@
     secrets =
       let
         toName = lib.removeSuffix ".age";
-        toSecret = name: _: {
+        userExists = u: builtins.hasAttr u config.users.users;
+        # Only set the user if it exists, to avoid warnings
+        userIfExists = u: if userExists u then u else "root";
+        toSecret = name: { owner ? "root", ... }: {
           file = ./. + "/${name}";
-          owner = lib.mkDefault "root";
+          owner = lib.mkDefault (userIfExists owner);
         };
         convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
         secrets = import ./secrets.nix;
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index dcaa6d6..3737509 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -27,7 +27,11 @@ in
 
   "monitoring/password.age".publicKeys = all;
 
-  "nextcloud/password.age".publicKeys = all;
+  "nextcloud/password.age" = {
+    # Must be readable by the service
+    owner = "nextcloud";
+    publicKeys = all;
+  };
 
   "paperless/password.age".publicKeys = all;
   "paperless/secret-key.age".publicKeys = all;