diff --git a/.gitignore b/.gitignore index 0efb26f8..bdadadf9 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ result config/neovim/store home/modules/ags/config/types home/modules/ags/config/tsconfig.json +home/modules/agenix/secrets.nix diff --git a/home/modules/agenix/default.nix b/home/modules/agenix/default.nix new file mode 100644 index 00000000..d75c2829 --- /dev/null +++ b/home/modules/agenix/default.nix @@ -0,0 +1,50 @@ +{ + config, + nixosConfig, + lib, + mylib, + pkgs, + username, + publicKeys, + ... +}: let + inherit (config.modules) agenix; +in { + options.modules.agenix = import ./options.nix {inherit lib mylib;}; + + config = { + # The user will be able to decrypt .age files using agenix. + # On each user/machine, this should generate a corresponding secrets.nix + home.file."${config.paths.nixflake}/home/modules/agenix/secrets.nix".text = let + mkSecret = key: name: "\"${name}.age\".publicKeys = [\"${key}\"];"; + in '' + # NOTE: This file will contain keys depending on the host/by which user it was built on. + { + ${lib.optionalString + # If this user defined any secrets... + (builtins.hasAttr "${username}" agenix.secrets) + # ...we will add them to the current secrets.nix, + # s.t. agenix can be used to encrypt the secret. + (builtins.concatStringsSep "\n" + (builtins.map + (mkSecret publicKeys.${username}.ssh) + agenix.secrets.${username}))} + } + ''; + + age.secrets = let + mkSecretIfExists = name: + # If this user has already encrypted the secret... + if builtins.pathExists ./${name}.age + # ...we will register it with age... + then {${name}.file = ./${name}.age;} + # ...otherwise we link to a bogus file. + else {${name}.file = ./void.age;}; + in + lib.mkIf + # If this user defined any secrets... + (builtins.hasAttr "${username}" agenix.secrets) + # ...we will register all secrets files that have already been generated. + (lib.mkMerge (builtins.map mkSecretIfExists agenix.secrets.${username})); + }; +} diff --git a/home/modules/agenix/options.nix b/home/modules/agenix/options.nix new file mode 100644 index 00000000..3b580387 --- /dev/null +++ b/home/modules/agenix/options.nix @@ -0,0 +1,33 @@ +{ + lib, + mylib, + ... +}: let + mkSecret = file: + lib.mkOption { + type = lib.types.path; + default = file; + }; +in { + secrets = lib.mkOption { + type = lib.types.attrs; + description = "The secret files managed by agenix (and their associated keys)"; + example = '' + { + christoph = [ + "heidi-discord-token" + "kopia-password" + "kopia-server-username" + "kopia-server-password" + ]; + } + ''; + + default = {}; + }; + + heidi-discord-token = mkSecret ./heidi-discord-token.age; + kopia-user-password = mkSecret ./kopia-user-password.age; + kopia-server-user = mkSecret ./kopia-server-user.age; + kopia-server-password = mkSecret ./kopia-server-password.age; +} diff --git a/home/modules/agenix/void.age b/home/modules/agenix/void.age new file mode 100644 index 00000000..d1bfa477 --- /dev/null +++ b/home/modules/agenix/void.age @@ -0,0 +1 @@ +This secret has not been generated. diff --git a/home/modules/default.nix b/home/modules/default.nix index 376ddd3c..c2b84350 100644 --- a/home/modules/default.nix +++ b/home/modules/default.nix @@ -3,6 +3,7 @@ # Obsolete modules are kept in "1_deprecated" for reference. # My own HM modules + ./agenix ./beets ./chromium ./color @@ -26,6 +27,7 @@ # HM modules imported from the flake inputs inputs.nix-flatpak.homeManagerModules.nix-flatpak inputs.nixvim.homeManagerModules.nixvim + inputs.agenix.homeManagerModules.default # inputs.ags.homeManagerModules.default # inputs.spicetify-nix.homeManagerModules.default ];