23 lines
		
	
	
		
			655 B
		
	
	
	
		
			Nix
		
	
	
	
	
	
			
		
		
	
	
			23 lines
		
	
	
		
			655 B
		
	
	
	
		
			Nix
		
	
	
	
	
	
| {
 | |
|   inputs,
 | |
|   config,
 | |
|   ...
 | |
| }: let
 | |
|   isEd25519 = k: k.type == "ed25519";
 | |
|   getKeyPath = k: k.path;
 | |
|   keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
 | |
| in {
 | |
|   imports = [inputs.sops-nix.nixosModules.sops];
 | |
| 
 | |
|   sops.age = {
 | |
|     sshKeyPaths = map getKeyPath keys;
 | |
| 
 | |
|     # TODO: remove? only rely on ssh or pgp keys (e.g. ubikey like misterio is using!!!)
 | |
|     keyFile = "/home/julian/.config/sops/age/keys.txt";
 | |
|     # Generate key if none of the above worked. With this, building will still work, just without secrets
 | |
|     generateKey = false; # TODO: building should not work without secrets!?
 | |
|   };
 | |
| 
 | |
|   sops.defaultSopsFile = ../secrets.yaml;
 | |
| }
 |