kiri/lux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Jelle Spreeuwenberg
2026-04-17 00:27:22 +02:00
commit 9af07bedff
80 changed files with 5389 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
modules/secrets/sops.nix Normal file
View File

@@ -0,0 +1,81 @@
{ den, inputs, lib, ... }:
let
sopsReadersGroup = "sops-users";
in
{
den.ctx.host.includes = [
(den.lib.perHost (
{ host, ... }:
let
missingAdminUsers = lib.filter (userName: !(builtins.hasAttr userName host.users)) host.sopsAdminKeyUsers;
adminKeyDir = if host.sopsAdminKeyPath == null then null else builtins.dirOf host.sopsAdminKeyPath;
in
{
nixos = {
imports = [ inputs.sops-nix.nixosModules.sops ];
sops = {
defaultSopsFile = ./secrets.yaml;
age =
if host.sopsHostSshKeyPath != null then
{
sshKeyPaths = [ host.sopsHostSshKeyPath ];
}
else
{
keyFile = host.sopsAdminKeyPath;
};
};
users.groups = lib.optionalAttrs (host.sopsAdminKeyUsers != [ ]) {
${sopsReadersGroup} = { };
};
users.users = lib.genAttrs host.sopsAdminKeyUsers (_: {
extraGroups = [ sopsReadersGroup ];
});
systemd.tmpfiles.rules = lib.optionals (adminKeyDir != null) [
"d ${adminKeyDir} 0750 root ${sopsReadersGroup} -"
];
assertions = [
{
assertion = host.sopsAdminKeyUsers == [ ] || host.sopsAdminKeyPath != null;
message = "Hosts with sopsAdminKeyUsers must set sopsAdminKeyPath.";
}
{
assertion = missingAdminUsers == [ ];
message =
"All sopsAdminKeyUsers must exist on the host. Missing: "
+ lib.concatStringsSep ", " missingAdminUsers;
}
];
};
}
))
];
den.ctx.user.includes = [
(den.lib.perUser (
{ host, user, ... }:
if builtins.elem user.userName host.sopsAdminKeyUsers then
{
homeManager =
{ pkgs, ... }:
{
imports = [ inputs.sops-nix.homeManagerModules.sops ];
sops = {
defaultSopsFile = ./secrets.yaml;
age.keyFile = host.sopsAdminKeyPath;
};
home.packages = [ pkgs.sops ];
};
}
else
{ }
))
];
}