feat: Manage secrets w/ sops-nix

Closes #1
2024-12-28 22:28:56 -07:00
parent fa3bd72816
commit 52dc849c67
10 changed files with 186 additions and 9 deletions
--- a/modules/nixos/sops.nix
+++ b/modules/nixos/sops.nix
@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let cfg = config.sydnix.sops;
+in {
+  options = {
+    sydnix.sops = {
+      enable = mkEnableOption "Sops secrets";
+      keyFile = mkOption {
+        description = "Path to an Age key file.";
+        type = types.path;
+        default = "/persist/key.txt";
+      };
+      secrets = mkOption {
+        description = "Secrets passed directly to sops-nix.";
+      };
+      package = mkOption {
+        description = "Sops CLI package.  If null, nothing will be installed.";
+        type = with types; nullOr package;
+        default = pkgs.sops;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    sops.defaultSopsFile = ../../secrets.yaml;
+    sops.defaultSopsFormat = "yaml";
+
+    environment.systemPackages =
+      mkIf (cfg.package != null)
+        [ cfg.package ];
+
+    sops.age.keyFile = cfg.keyFile;
+    sops.secrets = cfg.secrets;
+  };
+}