fix: restore local-session HM routing and update shared sops key path

2026-04-17 01:26:38 +02:00
parent 9af07bedff
commit b04bd5e61e
7 changed files with 25 additions and 3 deletions
--- a/modules/bundles.nix
+++ b/modules/bundles.nix
@@ -24,6 +24,21 @@
    ];
  };

+  lux.bundles._.local-session-user = {
+    includes = with lux; [
+      nix
+      niri
+      clipboard
+      local-apps
+      pinentry
+      qbittorrent-client
+      vicinae
+      xdg
+      theme
+      noctalia
+    ];
+  };
+
  lux.bundles._.development = {
    includes = with lux; [
      git
--- a/modules/hosts/polaris/default.nix
+++ b/modules/hosts/polaris/default.nix
@@ -5,6 +5,7 @@

    provides.kiri = {
      includes = with lux; [
+        bundles._.local-session-user
        bitwarden
        email
        pim
--- a/modules/hosts/zenith/default.nix
+++ b/modules/hosts/zenith/default.nix
@@ -5,6 +5,7 @@

    provides.kiri = {
      includes = with lux; [
+        bundles._.local-session-user
        bitwarden
        email
        pim
--- a/modules/infra.nix
+++ b/modules/infra.nix
@@ -1,6 +1,6 @@
 let
  serviceDomain = "jelles.net";
-  adminKeyPath = "/var/lib/sops-nix/admin-key.txt";
+  adminKeyPath = "/var/lib/sops/keys.txt";

  sharedIdentity = {
    realName = "Jelle Spreeuwenberg";
--- a/modules/secrets/sops.nix
+++ b/modules/secrets/sops.nix
@@ -8,6 +8,7 @@ in
      { host, ... }:
      let
        missingAdminUsers = lib.filter (userName: !(builtins.hasAttr userName host.users)) host.sopsAdminKeyUsers;
+        hasSharedAdminKey = host.sopsAdminKeyPath != null && host.sopsAdminKeyUsers != [ ];
        adminKeyDir = if host.sopsAdminKeyPath == null then null else builtins.dirOf host.sopsAdminKeyPath;
      in
      {
@@ -27,7 +28,7 @@ in
                };
          };

-          users.groups = lib.optionalAttrs (host.sopsAdminKeyUsers != [ ]) {
+          users.groups = lib.optionalAttrs hasSharedAdminKey {
            ${sopsReadersGroup} = { };
          };

@@ -35,8 +36,9 @@ in
            extraGroups = [ sopsReadersGroup ];
          });

-          systemd.tmpfiles.rules = lib.optionals (adminKeyDir != null) [
+          systemd.tmpfiles.rules = lib.optionals hasSharedAdminKey [
            "d ${adminKeyDir} 0750 root ${sopsReadersGroup} -"
+            "z ${host.sopsAdminKeyPath} 0640 root ${sopsReadersGroup} -"
          ];

          assertions = [