| # SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors |
| # SPDX-FileCopyrightText: 2024 Clicks Codes |
| # |
| # SPDX-License-Identifier: GPL-3.0-only |
| |
| { config, lib, pkgs, inputs, ... }: let |
| cfg = config.clicks.security.secrets; |
| in { |
| options.clicks.security.secrets.enable = lib.mkOption { |
| description = "Enable using agenix-rekey for secrets"; |
| type = lib.types.bool; |
| default = config.clicks.defaults.enable; |
| }; |
| |
| options.age = {}; # Required definition for lib.optionalAttrs... |
| |
| config.age = lib.optionalAttrs cfg.enable { |
| rekey = { |
| masterIdentities = [ |
| "${inputs.self}/secrets/keys/minion/collabora-yubikey.pub" |
| "${inputs.self}/secrets/keys/minion/tiny-yubikey.pub" |
| "${inputs.self}/secrets/keys/minion/iyubikey.pub" |
| ]; |
| storageMode = "local"; |
| generatedSecretsDir = lib.snowfall.fs.get-snowfall-file "secrets/generated/${config.networking.hostName}"; |
| localStorageDir = lib.snowfall.fs.get-snowfall-file "secrets/rekeyed/${config.networking.hostName}"; |
| }; |
| |
| identityPaths = lib.mkIf config.clicks.storage.impermanence.enable [ |
| "/persist/data/etc/ssh/ssh_host_ed25519_key" |
| "/persist/data/etc/ssh/ssh_host_rsa_key" |
| ]; |
| }; |
| } |