lux/modules/secrets/sops.nix

{
  inputs,
  ...
}:
let
  sopsAdminKeyPath = "/var/lib/sops/keys.txt";
in
{
  flake.modules.nixos.sopsHost =
    {
      lib,
      host ? {
        isServer = false;
      },
      ...
    }:
    let
      useHostSshKey = host.isServer;
      useAdminKeyFile = !host.isServer;
      adminKeyDir = builtins.dirOf sopsAdminKeyPath;
    in
    {
      imports = [ inputs.sops-nix.nixosModules.sops ];

      sops = {
        defaultSopsFile = ./secrets.yaml;
        age =
          lib.optionalAttrs useHostSshKey {
            sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
          }
          // lib.optionalAttrs useAdminKeyFile {
            keyFile = sopsAdminKeyPath;
          };
      };

      systemd.tmpfiles.rules = lib.optionals useAdminKeyFile [
        "d ${adminKeyDir} 0750 root wheel -"
        "z ${sopsAdminKeyPath} 0640 root wheel -"
      ];
    };

  flake.modules.homeManager.sopsAdmin =
    {
      pkgs,
      ...
    }:
    {
      imports = [ inputs.sops-nix.homeManagerModules.sops ];

      sops = {
        defaultSopsFile = ./secrets.yaml;
        age.keyFile = sopsAdminKeyPath;
      };

      home.sessionVariables.SOPS_AGE_KEY_FILE = sopsAdminKeyPath;
      home.packages = [ pkgs.sops ];
    };
}