Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / ec13fbd7a8bfe2eff569df5ad77d007599bbffc2 / . / modules / nixos / clicks / security / secrets / default.nix
blob: 8a120f91ce52698fbd8c393863abcfd0b6b15d85 [file] [log] [blame]
Skyler Grey67cf8aa2024-07-28 13:21:32 +0000[diff] [blame]1# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
2# SPDX-FileCopyrightText: 2024 Clicks Codes
3#
4# SPDX-License-Identifier: GPL-3.0-only
5
6{ config, lib, pkgs, inputs, ... }: let
7 cfg = config.clicks.security.secrets;
8in {
9 options.clicks.security.secrets.enable = lib.mkOption {
10 description = "Enable using agenix-rekey for secrets";
11 type = lib.types.bool;
Skyler Grey4bf2de52024-07-29 17:55:05 +0000[diff] [blame]12 default = config.clicks.defaults.enable;
Skyler Grey67cf8aa2024-07-28 13:21:32 +0000[diff] [blame]13 };
14
Skyler Greyec13fbd2024-08-03 08:11:04 +0000[diff] [blame^]15 options.age = {}; # Required definition for lib.optionalAttrs...
16
17 config.age = lib.optionalAttrs cfg.enable {
18 rekey = {
Skyler Grey67cf8aa2024-07-28 13:21:32 +0000[diff] [blame]19 masterIdentities = [
20 "${inputs.self}/secrets/keys/minion/collabora-yubikey.pub"
21 "${inputs.self}/secrets/keys/minion/tiny-yubikey.pub"
22 "${inputs.self}/secrets/keys/minion/iyubikey.pub"
23 ];
24 storageMode = "local";
25 generatedSecretsDir = lib.snowfall.fs.get-snowfall-file "secrets/generated/${config.networking.hostName}";
26 localStorageDir = lib.snowfall.fs.get-snowfall-file "secrets/rekeyed/${config.networking.hostName}";
27 };
28
Skyler Greyec13fbd2024-08-03 08:11:04 +0000[diff] [blame^]29 identityPaths = lib.mkIf config.clicks.storage.impermanence.enable [
Skyler Grey67cf8aa2024-07-28 13:21:32 +0000[diff] [blame]30 "/persist/data/etc/ssh/ssh_host_ed25519_key"
31 "/persist/data/etc/ssh/ssh_host_rsa_key"
32 ];
33 };
34}