path: root/modules/secrets/default.nix

{ config, inputs, lib, options, ... }:
with builtins;
with lib;
let
  secretsDir = "${toString ../../hosts}/${config.networking.hostName}/secrets";
  secretsFile = "${secretsDir}/secrets.nix";
in {
  imports = [ inputs.agenix.nixosModules.age ];

  config.age = {
    secrets = let
      toName = lib.removeSuffix ".age";
      userExists = u: builtins.hasAttr u config.users.users;
      groupExists = g: builtins.hasAttr g config.users.groups;

      # Only set the user and/or group if they exist, to avoid warnings
      userIfExists = u: if userExists u then u else "root";
      groupIfExists = g: if groupExists g then g else "root";

      toSecret = name:
        { owner ? "root", group ? "root", mode ? "0400", ... }: {
          file = "${secretsDir}/${name}";
          owner = lib.mkDefault (userIfExists owner);
          group = lib.mkDefault (groupIfExists group);
          mode = mode;
        };
    in if pathExists secretsFile then
      mapAttrs' (n: v: nameValuePair (toName n) (toSecret n v))
      (import secretsFile)
    else
      { };
    identityPaths = options.age.identityPaths.default ++ (filter pathExists
      [ "${config.users.users.fcuny.home}/.ssh/id_ed25519" ]);
  };
}