Modules/Agenix: Change to system module

2025-07-09 03:28:52 +02:00
parent f47feb8193
commit 4f6a4dea3e
15 changed files with 34 additions and 45 deletions
--- a/system/modules/agenix/default.nix
+++ b/system/modules/agenix/default.nix
@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  mylib,
+  pkgs,
+  username,
+  publicKeys,
+  ...
+}: let
+  inherit (config.modules) agenix;
+in {
+  options.modules.agenix = import ./options.nix {inherit lib mylib;};
+
+  config = {
+    # NOTE: See the generated secrets.nix file in home/christoph/default.nix
+
+    # Register generated secrets to the age system module
+    age.secrets = let
+      mkSecretIfExists = name:
+      # If this user has already encrypted the secret...
+        if builtins.pathExists ./${name}.age
+        # ...we will register it with age...
+        then {${name}.file = ./${name}.age;}
+        # ...otherwise we link to a bogus file.
+        else {${name}.file = ./void.age;};
+    in
+      lib.mkIf
+      # If this user defined any secrets...
+      (builtins.hasAttr "${username}" agenix.secrets)
+      # ...we will register all secrets files that have already been generated.
+      (lib.mkMerge (builtins.map mkSecretIfExists agenix.secrets.${username}));
+  };
+}
--- a/system/modules/agenix/heidi-discord-token.age
+++ b/system/modules/agenix/heidi-discord-token.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 PW+5DQ 2vardSYoPFvDEw4TiKSXntAJmChcVu9X+nD1+rCac1c
+mbx9xEy0vkQvl6HqLcFTk3qrsUpDAUuKD6GnJGa9elc
+--- vKkGWdp/anMV2VzwJEEHeWNUjv/SkzjYOIljRK6ExbI
+<EFBFBD>Ҥ<11><>v<0B><>LH<4C><48>l<EFBFBD>|<7C>><3E><><EFBFBD>Mcso<73>{j<>S<EFBFBD><53><EFBFBD>_<EFBFBD><5F>'<27>Ќ<EFBFBD>WlÅ<6C>_i<5F>M<15>Y<EFBFBD><59><EFBFBD><EFBFBD><EFBFBD><EFBFBD>VV<><56>s<EFBFBD>,D%<25>-&+<2B><><EFBFBD><EFBFBD>i<EFBFBD><69>T<EFBFBD>P"<16>g
--- a/system/modules/agenix/kopia-password.age
+++ b/system/modules/agenix/kopia-password.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 PW+5DQ Wm5RTSiZ/ndp6l6q2T43wrHiMnyP/FqDzUsl29TYoQc
+ti4Pc/+g+6618wOQAb+28bNt87A8f3gRFzCaMlNKpP4
+--- aRzLWmbnb7MqPVDSTYLqCIDHqaj0fu3JVp4ES93xZ9I
+B6<42><<3C>
+I<>mj<6D><6A><EFBFBD><EFBFBD><1B>L<EFBFBD><06>N<EFBFBD><4E><EFBFBD><EFBFBD>-e<>![<5B>'y_<79>aI<61><49>
--- a/system/modules/agenix/kopia-server-password.age
+++ b/system/modules/agenix/kopia-server-password.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 PW+5DQ ZeBpvImtTWyKOxlCh573CNitT2z1OX2PgHAzLB/RTzg
+jx7n2REzbCJ9zr2TQHSvEz7lUZap5J2mjHNx710L49w
+--- kdRUEg3IOfjUfAgPEMj7MdiGftxVptPeC/Mbh5qWf8c
+<EFBFBD><EFBFBD>
+<EFBFBD><03>#N'<27>(:a<><61>a<EFBFBD>]<5D><>g<EFBFBD>Po<50><6F><EFBFBD><EFBFBD><EFBFBD>[<5B><>=n<>
--- a/system/modules/agenix/kopia-server-username.age
+++ b/system/modules/agenix/kopia-server-username.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 PW+5DQ V2ejrKdFVeO7nNqkRqa3nSnz8MKlHyZcQ+T1NRfntSw
+t79YI5ZFtW0k6IZRB5VMjy7st+WlhONTFyVF/tvPaKk
+--- Cz4XV8J+oM6q6bVq6uXXUUvW/BqBL0agNzmobzcu2Kc
+<EFBFBD><EFBFBD>{*$<24>c<EFBFBD><63>̨&Z<>uthF<68><11><><EFBFBD><EFBFBD>[<5B>T<EFBFBD>%?<3F><><EFBFBD>?|*<2A>`<60>^O<>
--- a/system/modules/agenix/options.nix
+++ b/system/modules/agenix/options.nix
@ -0,0 +1,22 @@
+{
+  lib,
+  mylib,
+  ...
+}: {
+  secrets = lib.mkOption {
+    type = lib.types.attrs;
+    description = "The secret files managed by agenix (and their associated keys)";
+    example = ''
+      {
+        christoph = [
+          "heidi-discord-token"
+          "kopia-password"
+          "kopia-server-username"
+          "kopia-server-password"
+        ];
+      }
+    '';
+
+    default = {};
+  };
+}
--- a/system/modules/agenix/void.age
+++ b/system/modules/agenix/void.age
@ -0,0 +1 @@
+This secret has not been generated.
--- a/system/modules/default.nix
+++ b/system/modules/default.nix
@ -1,5 +1,6 @@
 {...}: {
  imports = [
+    ./agenix
    ./bootloader
    ./desktopportal
    ./docker