Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 67cf8aa3731dca126803bc3a24a14b6a5fb81ea4 / . / modules / nixos / clicks / security / secrets / default.nix
blob: 9a97f9dfef2109ced83da674341fe986a79c1074 [file] [log] [blame]
Skyler Grey67cf8aa2024-07-28 13:21:32 +0000[diff] [blame^]1# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
2# SPDX-FileCopyrightText: 2024 Clicks Codes
3#
4# SPDX-License-Identifier: GPL-3.0-only
5
6{ config, lib, pkgs, inputs, ... }: let
7 cfg = config.clicks.security.secrets;
8in {
9 options.clicks.security.secrets.enable = lib.mkOption {
10 description = "Enable using agenix-rekey for secrets";
11 type = lib.types.bool;
12 default = true;
13 };
14
15 config = lib.mkIf cfg.enable {
16 age.rekey = {
17 masterIdentities = [
18 "${inputs.self}/secrets/keys/minion/collabora-yubikey.pub"
19 "${inputs.self}/secrets/keys/minion/tiny-yubikey.pub"
20 "${inputs.self}/secrets/keys/minion/iyubikey.pub"
21 ];
22 storageMode = "local";
23 generatedSecretsDir = lib.snowfall.fs.get-snowfall-file "secrets/generated/${config.networking.hostName}";
24 localStorageDir = lib.snowfall.fs.get-snowfall-file "secrets/rekeyed/${config.networking.hostName}";
25 };
26
27 age.identityPaths = lib.mkIf config.clicks.storage.impermanence.enable [
28 "/persist/data/etc/ssh/ssh_host_ed25519_key"
29 "/persist/data/etc/ssh/ssh_host_rsa_key"
30 ];
31 };
32}