65 lines
2.2 KiB
Nix
65 lines
2.2 KiB
Nix
{
|
|
# Snowfall Lib provides a customized `lib` instance with access to your flake's library
|
|
# as well as the libraries available from your flake's inputs.
|
|
lib,
|
|
# An instance of `pkgs` with your overlays and packages applied is also available.
|
|
pkgs,
|
|
# You also have access to your flake's inputs.
|
|
inputs,
|
|
|
|
# Additional metadata is provided by Snowfall Lib.
|
|
namespace, # The namespace used for your flake, defaulting to "internal" if not set.
|
|
system, # The system architecture for this host (eg. `x86_64-linux`).
|
|
target, # The Snowfall Lib target for this system (eg. `x86_64-iso`).
|
|
format, # A normalized name for the system target (eg. `iso`).
|
|
virtual, # A boolean to determine whether this system is a virtual target using nixos-generators.
|
|
systems, # An attribute map of your defined hosts.
|
|
|
|
# All other arguments come from the module system.
|
|
config,
|
|
...
|
|
}:
|
|
|
|
let
|
|
cfg = config.modules.sops;
|
|
in
|
|
{
|
|
options.modules.sops = {
|
|
enable = lib.mkOption { default = false; };
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
sops.defaultSopsFile = ../../../secrets/secrets.yaml;
|
|
sops.defaultSopsFormat = "yaml";
|
|
|
|
# Automatically generate age key from ssh key
|
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
# This is using an age key that is expected to already be in the filesystem
|
|
sops.age.keyFile = "/home/julian/.config/sops/age/keys.txt";
|
|
# Generate key if none of the above worked. With this, building will still work, just without secrets
|
|
sops.age.generateKey = true;
|
|
|
|
# List of defined secrets
|
|
# They all become files linked inside the "/run/secrets/" directory
|
|
|
|
sops.secrets."vnc-passwd" = {
|
|
owner = config.users.users.julian.name;
|
|
sopsFile = ../../../secrets/vnc-passwd;
|
|
format = "binary";
|
|
};
|
|
sops.secrets."wifi/pianonix" = { };
|
|
|
|
sops.secrets."password/aspi" = {
|
|
neededForUsers = true; # necessary for setting password
|
|
};
|
|
sops.secrets."password/pianonix" = {
|
|
neededForUsers = true; # necessary for setting password
|
|
};
|
|
|
|
sops.secrets."syncthing/pianonix/key" = { };
|
|
sops.secrets."syncthing/pianonix/cert" = { };
|
|
sops.secrets."syncthing/public-keys/aspi-nix" = { };
|
|
sops.secrets."syncthing/public-keys/pianonix" = { };
|
|
};
|
|
}
|