home: add home-manager specific secrets module

2021-02-20 15:20:27 +00:00 · 2021-02-20 15:20:27 +00:00 · 44cbc123e6
parent 5e7c2356fa
commit 44cbc123e6
4 changed files with 23 additions and 0 deletions
--- a/home/default.nix
+++ b/home/default.nix
@ -8,6 +8,7 @@
    ./jq.nix
    ./packages.nix
    ./pager.nix
+    ./secrets # Home-manager specific secrets
    ./tmux.nix
    ./zsh
  ];
--- a/home/secrets/.gitattributes
+++ b/home/secrets/.gitattributes
@ -0,0 +1,3 @@
+* filter=git-crypt diff=git-crypt
+.gitattributes !filter !diff
+/default.nix !filter !diff
--- a/home/secrets/canary
+++ b/home/secrets/canary
--- a/home/secrets/default.nix
+++ b/home/secrets/default.nix
@ -0,0 +1,19 @@
+{ lib, pkgs, ... }:
+
+with lib;
+let
+  canaryHash = builtins.hashFile "sha256" ./canary;
+  expectedHash =
+    "9df8c065663197b5a1095122d48e140d3677d860343256abd5ab6e4fb4c696ab";
+in
+if canaryHash != expectedHash then
+  abort "Secrets are not readable. Have you run `git-crypt unlock`?"
+else {
+  options.my.secrets = mkOption {
+    type = types.attrs;
+  };
+
+  config.my.secrets = {
+    # Home-manager secrets go here
+  };
+}