hosts: nixos: add host-specific secrets module

This is the same logic as the common module, but for secrets that don't need to be shared to different hosts.
2023-04-13 16:48:37 +00:00 · 2023-04-13 16:48:37 +00:00 · 57008bcb7c
parent 34a3f9a0d6
commit 57008bcb7c
7 changed files with 70 additions and 0 deletions
--- a/hosts/nixos/aramis/default.nix
+++ b/hosts/nixos/aramis/default.nix
@ -12,6 +12,7 @@
    ./networking.nix
    ./profiles.nix
    ./programs.nix
+    ./secrets
    ./services.nix
    ./sound.nix
  ];
--- a/hosts/nixos/aramis/secrets/default.nix
+++ b/hosts/nixos/aramis/secrets/default.nix
@ -0,0 +1,20 @@
+{ config, lib, ... }:
+
+{
+  config.age = {
+    secrets =
+      let
+        toName = lib.removeSuffix ".age";
+        userExists = u: builtins.hasAttr u config.users.users;
+        # Only set the user if it exists, to avoid warnings
+        userIfExists = u: if userExists u then u else "root";
+        toSecret = name: { owner ? "root", ... }: {
+          file = ./. + "/${name}";
+          owner = lib.mkDefault (userIfExists owner);
+        };
+        convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
+        secrets = import ./secrets.nix;
+      in
+      lib.mapAttrs' convertSecrets secrets;
+  };
+}
--- a/hosts/nixos/aramis/secrets/secrets.nix
+++ b/hosts/nixos/aramis/secrets/secrets.nix
@ -0,0 +1,13 @@
+# Host-specific secrets
+let
+  keys = import ../../../../keys;
+
+  all = [
+    # This host is a laptop, it does not have a host key
+    # Allow me to modify the secrets anywhere
+    keys.users.ambroisie
+  ];
+in
+{
+  # Add secrets here
+}
--- a/hosts/nixos/porthos/default.nix
+++ b/hosts/nixos/porthos/default.nix
@ -7,6 +7,7 @@
    ./hardware.nix
    ./home.nix
    ./networking.nix
+    ./secrets
    ./services.nix
    ./users.nix
  ];
--- a/hosts/nixos/porthos/secrets/default.nix
+++ b/hosts/nixos/porthos/secrets/default.nix
@ -0,0 +1,20 @@
+{ config, lib, ... }:
+
+{
+  config.age = {
+    secrets =
+      let
+        toName = lib.removeSuffix ".age";
+        userExists = u: builtins.hasAttr u config.users.users;
+        # Only set the user if it exists, to avoid warnings
+        userIfExists = u: if userExists u then u else "root";
+        toSecret = name: { owner ? "root", ... }: {
+          file = ./. + "/${name}";
+          owner = lib.mkDefault (userIfExists owner);
+        };
+        convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
+        secrets = import ./secrets.nix;
+      in
+      lib.mapAttrs' convertSecrets secrets;
+  };
+}
--- a/hosts/nixos/porthos/secrets/secrets.nix
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@ -0,0 +1,14 @@
+# Host-specific secrets
+let
+  keys = import ../../../../keys;
+
+  all = [
+    # Host key
+    keys.hosts.porthos
+    # Allow me to modify the secrets anywhere
+    keys.users.ambroisie
+  ];
+in
+{
+  # Add secrets here
+}
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -1,3 +1,4 @@
+# Common secrets
 let
  keys = import ../../keys;