lux/modules/secrets/sops.nix

{
  inputs,
  config,
  ...
}:
let
  nixosModules = config.flake.modules.nixos;
  sopsAdminKeyPath = "/var/lib/sops/keys.txt";
in
{
  flake.modules.nixos.sops = {
    imports = [ inputs.sops-nix.nixosModules.sops ];

    sops.defaultSopsFile = ./secrets.yaml;
  };

  flake.modules.nixos.sops-admin-key-file =
    { lib, ... }:
    let
      adminKeyDir = builtins.dirOf sopsAdminKeyPath;
    in
    {
      imports = [ nixosModules.sops ];

      sops.age.keyFile = sopsAdminKeyPath;

      systemd.tmpfiles.rules = [
        "d ${adminKeyDir} 0750 root wheel -"
        "z ${sopsAdminKeyPath} 0640 root wheel -"
      ];
    };

  flake.modules.nixos.sops-host-ssh-key = {
    imports = [ nixosModules.sops ];

    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  };

  flake.modules.homeManager.sops =
    {
      pkgs,
      ...
    }:
    {
      imports = [ inputs.sops-nix.homeManagerModules.sops ];

      sops = {
        defaultSopsFile = ./secrets.yaml;
        age.keyFile = sopsAdminKeyPath;
      };

      home.sessionVariables.SOPS_AGE_KEY_FILE = sopsAdminKeyPath;
      home.packages = [ pkgs.sops ];
    };
}