hosts: nixos: add host-specific secrets module

This is the same logic as the common module, but for secrets that don't
need to be shared to different hosts.

hosts/nixos/aramis/default.nix

@@ -12,6 +12,7 @@
     ./networking.nix
     ./profiles.nix
     ./programs.nix
+    ./secrets
     ./services.nix
     ./sound.nix
   ];

hosts/nixos/aramis/secrets/default.nix

@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+
+{
+  config.age = {
+    secrets =
+      let
+        toName = lib.removeSuffix ".age";
+        userExists = u: builtins.hasAttr u config.users.users;
+        # Only set the user if it exists, to avoid warnings
+        userIfExists = u: if userExists u then u else "root";
+        toSecret = name: { owner ? "root", ... }: {
+          file = ./. + "/${name}";
+          owner = lib.mkDefault (userIfExists owner);
+        };
+        convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
+        secrets = import ./secrets.nix;
+      in
+      lib.mapAttrs' convertSecrets secrets;
+  };
+}

hosts/nixos/aramis/secrets/secrets.nix

@@ -0,0 +1,13 @@
+# Host-specific secrets
+let
+  keys = import ../../../../keys;
+
+  all = [
+    # This host is a laptop, it does not have a host key
+    # Allow me to modify the secrets anywhere
+    keys.users.ambroisie
+  ];
+in
+{
+  # Add secrets here
+}

hosts/nixos/porthos/default.nix

@@ -7,6 +7,7 @@
     ./hardware.nix
     ./home.nix
     ./networking.nix
+    ./secrets
     ./services.nix
     ./users.nix
   ];

hosts/nixos/porthos/secrets/default.nix

@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+
+{
+  config.age = {
+    secrets =
+      let
+        toName = lib.removeSuffix ".age";
+        userExists = u: builtins.hasAttr u config.users.users;
+        # Only set the user if it exists, to avoid warnings
+        userIfExists = u: if userExists u then u else "root";
+        toSecret = name: { owner ? "root", ... }: {
+          file = ./. + "/${name}";
+          owner = lib.mkDefault (userIfExists owner);
+        };
+        convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
+        secrets = import ./secrets.nix;
+      in
+      lib.mapAttrs' convertSecrets secrets;
+  };
+}

hosts/nixos/porthos/secrets/secrets.nix

@@ -0,0 +1,14 @@
+# Host-specific secrets
+let
+  keys = import ../../../../keys;
+
+  all = [
+    # Host key
+    keys.hosts.porthos
+    # Allow me to modify the secrets anywhere
+    keys.users.ambroisie
+  ];
+in
+{
+  # Add secrets here
+}

modules/secrets/secrets.nix

@@ -1,3 +1,4 @@
+# Common secrets
 let
   keys = import ../../keys;