Modules/Agenix: Change to system module

2025-07-09 03:28:52 +02:00
parent f47feb8193
commit 4f6a4dea3e
15 changed files with 34 additions and 45 deletions
--- a/.gitignore
+++ b/.gitignore
@ -10,4 +10,4 @@ result
 config/neovim/store
 home/modules/ags/config/types
 home/modules/ags/config/tsconfig.json
-home/modules/agenix/secrets.nix
+system/modules/agenix/secrets.nix
--- a/home/christoph/default.nix
+++ b/home/christoph/default.nix
@ -300,6 +300,25 @@
    file = lib.mkMerge [
      {
        ".ssh/id_ed25519.pub".text = "${publicKeys.${username}.ssh}";
        # The user will be able to decrypt .age files using agenix.
        # On each user/machine, this should generate a corresponding secrets.nix
        "${config.paths.nixflake}/system/modules/agenix/secrets.nix".text = let
          mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];";
        in ''
          # NOTE: This file will contain keys depending on the host/by which user it was built on.
          {
            ${lib.optionalString
            # If this user defined any secrets...
            (builtins.hasAttr "${username}" nixosConfig.modules.agenix.secrets)
            # ...we will add them to the current secrets.nix,
            # s.t. agenix can be used to encrypt the secret.
            (builtins.concatStringsSep "\n"
              (builtins.map
                (mkSecret publicKeys.${username}.ssh)
                nixosConfig.modules.agenix.secrets.${username}))}
          }
        '';
      }
      (lib.mkIf nixosConfig.modules.desktopportal.termfilechooser.enable {
        ".config/xdg-desktop-portal-termfilechooser/config".text = ''
--- a/home/christoph/nixinator/default.nix
+++ b/home/christoph/nixinator/default.nix
@ -4,7 +4,6 @@
  nixosConfig,
  config,
  lib,
  username,
  ...
 }: {
  imports = [
@ -13,8 +12,6 @@
  config = {
    modules = {
      # agenix.secrets.${username} = [];
      hyprland = {
        kb-layout = "us";
        kb-variant = "altgr-intl";
--- a/home/christoph/servenix/default.nix
+++ b/home/christoph/servenix/default.nix
@ -11,15 +11,6 @@
  ];
  config = {
    modules = {
      agenix.secrets.${username} = [
        "heidi-discord-token"
        "kopia-password"
        "kopia-server-username"
        "kopia-server-password"
      ];
    };
    home.packages = with pkgs; [
      docker-compose
    ];
--- a/home/modules/default.nix
+++ b/home/modules/default.nix
@ -3,7 +3,6 @@
    # Obsolete modules are kept in "1_deprecated" for reference.
    # My own HM modules
    ./agenix
    ./beets
    ./chromium
    ./color
--- a/system/modules/agenix/default.nix
+++ b/system/modules/agenix/default.nix
@ -1,6 +1,5 @@
 {
  config,
  nixosConfig,
  lib,
  mylib,
  pkgs,
@ -13,25 +12,9 @@ in {
  options.modules.agenix = import ./options.nix {inherit lib mylib;};
  config = {
-    # The user will be able to decrypt .age files using agenix.
+    # NOTE: See the generated secrets.nix file in home/christoph/default.nix
    # On each user/machine, this should generate a corresponding secrets.nix
    home.file."${config.paths.nixflake}/home/modules/agenix/secrets.nix".text = let
      mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];";
    in ''
      # NOTE: This file will contain keys depending on the host/by which user it was built on.
      {
        ${lib.optionalString
        # If this user defined any secrets...
        (builtins.hasAttr "${username}" agenix.secrets)
        # ...we will add them to the current secrets.nix,
        # s.t. agenix can be used to encrypt the secret.
        (builtins.concatStringsSep "\n"
          (builtins.map
            (mkSecret publicKeys.${username}.ssh)
            agenix.secrets.${username}))}
      }
    '';
    # Register generated secrets to the age system module
    age.secrets = let
      mkSecretIfExists = name:
      # If this user has already encrypted the secret...
--- a/system/modules/agenix/heidi-discord-token.age
+++ b/system/modules/agenix/heidi-discord-token.age
--- a/system/modules/agenix/kopia-password.age
+++ b/system/modules/agenix/kopia-password.age
--- a/system/modules/agenix/kopia-server-password.age
+++ b/system/modules/agenix/kopia-server-password.age
--- a/system/modules/agenix/kopia-server-username.age
+++ b/system/modules/agenix/kopia-server-username.age
--- a/system/modules/agenix/options.nix
+++ b/system/modules/agenix/options.nix
@ -2,13 +2,7 @@
  lib,
  mylib,
  ...
-}: let
+}: {
  mkSecret = file:
    lib.mkOption {
      type = lib.types.path;
      default = file;
    };
 in {
  secrets = lib.mkOption {
    type = lib.types.attrs;
    description = "The secret files managed by agenix (and their associated keys)";
@ -25,9 +19,4 @@ in {
    default = {};
  };
  heidi-discord-token = mkSecret ./heidi-discord-token.age;
  kopia-user-password = mkSecret ./kopia-user-password.age;
  kopia-server-user = mkSecret ./kopia-server-user.age;
  kopia-server-password = mkSecret ./kopia-server-password.age;
 }
--- a/system/modules/agenix/void.age
+++ b/system/modules/agenix/void.age
--- a/system/modules/default.nix
+++ b/system/modules/default.nix
@ -1,5 +1,6 @@
 {...}: {
  imports = [
    ./agenix
    ./bootloader
    ./desktopportal
    ./docker
--- a/system/nixinator/default.nix
+++ b/system/nixinator/default.nix
@ -1,6 +1,7 @@
 {
  mylib,
  pkgs,
  username,
  ...
 }: {
  imports = [
@ -11,6 +12,8 @@
  ];
  modules = {
    # agenix.secrets.${username} = [];
    network = {
      useNetworkManager = true;
--- a/system/servenix/default.nix
+++ b/system/servenix/default.nix
@ -36,6 +36,13 @@
  ];
  modules = {
    agenix.secrets.${username} = [
      "heidi-discord-token"
      "kopia-password"
      "kopia-server-username"
      "kopia-server-password"
    ];
    network = {
      useNetworkManager = false;