{ den, inputs, lib, ... }: let sopsReadersGroup = "sops-users"; in { den.ctx.host.includes = [ (den.lib.perHost ( { host, ... }: let missingAdminUsers = lib.filter (userName: !(builtins.hasAttr userName host.users)) host.sopsAdminKeyUsers; adminKeyDir = if host.sopsAdminKeyPath == null then null else builtins.dirOf host.sopsAdminKeyPath; in { nixos = { imports = [ inputs.sops-nix.nixosModules.sops ]; sops = { defaultSopsFile = ./secrets.yaml; age = if host.sopsHostSshKeyPath != null then { sshKeyPaths = [ host.sopsHostSshKeyPath ]; } else { keyFile = host.sopsAdminKeyPath; }; }; users.groups = lib.optionalAttrs (host.sopsAdminKeyUsers != [ ]) { ${sopsReadersGroup} = { }; }; users.users = lib.genAttrs host.sopsAdminKeyUsers (_: { extraGroups = [ sopsReadersGroup ]; }); systemd.tmpfiles.rules = lib.optionals (adminKeyDir != null) [ "d ${adminKeyDir} 0750 root ${sopsReadersGroup} -" ]; assertions = [ { assertion = host.sopsAdminKeyUsers == [ ] || host.sopsAdminKeyPath != null; message = "Hosts with sopsAdminKeyUsers must set sopsAdminKeyPath."; } { assertion = missingAdminUsers == [ ]; message = "All sopsAdminKeyUsers must exist on the host. Missing: " + lib.concatStringsSep ", " missingAdminUsers; } ]; }; } )) ]; den.ctx.user.includes = [ (den.lib.perUser ( { host, user, ... }: if builtins.elem user.userName host.sopsAdminKeyUsers then { homeManager = { pkgs, ... }: { imports = [ inputs.sops-nix.homeManagerModules.sops ]; sops = { defaultSopsFile = ./secrets.yaml; age.keyFile = host.sopsAdminKeyPath; }; home.packages = [ pkgs.sops ]; }; } else { } )) ]; }