prettify secrets module

nyawox · Dec 4, 2024 · 7a398a4 · 7a398a4
1 parent 6bf4436
commit 7a398a4
Showing 1 changed file with 14 additions and 11 deletions.
diff --git a/modules/nixos/sysconf/secrets.nix b/modules/nixos/sysconf/secrets.nix
@@ -7,6 +7,9 @@
   ...
 }:
 with lib;
+let
+  cfg = config.secrets;
+in
 {
   imports = [ inputs.sops-nix.nixosModules.sops ];
   options.secrets = {
@@ -26,14 +29,14 @@ with lib;
     };
   };
   config = {
-    sops = mkIf config.secrets.enable {
-      defaultSopsFile = mkIf config.secrets.enable "/persist/dotfiles/secrets/secrets.yaml";
+    sops = mkIf cfg.enable {
+      defaultSopsFile = "/persist/dotfiles/secrets/secrets.yaml"; # non existent path
       #https://github.com/Mic92/sops-nix/issues/167
-      gnupg.sshKeyPaths = mkIf config.secrets.enable [ ];
+      gnupg.sshKeyPaths = [ ];
       # This will automatically import SSH keys as age keys
       # Don't forget to copy key there
-      age.sshKeyPaths = mkIf config.secrets.enable [ "/persist/etc/ssh/id_ed25519_age" ];
-      secrets.userpassword = mkIf config.secrets.enablePassword {
+      age.sshKeyPaths = [ "/persist/etc/ssh/id_ed25519_age" ];
+      secrets.userpassword = mkIf cfg.enablePassword {
         neededForUsers = true;
         sopsFile = ../../../secrets/userpassword.yaml;
       };
@@ -43,24 +46,24 @@ with lib;
         owner = username;
       };
     };
-    users.users."${config.var.username}" = {
-      hashedPasswordFile = mkIf config.secrets.enablePassword config.sops.secrets.userpassword.path;
-      password = mkIf config.secrets.enablePassword (mkForce null);
+    users.users."${config.var.username}" = mkIf cfg.enablePassword {
+      hashedPasswordFile = config.sops.secrets.userpassword.path;
+      password = mkForce null;
     };
     # sops.secrets.rootpassword = {
     #   neededForUsers = true;
     #   sopsFile = ./rootpassword.yaml;
     # };
     # users.users."root".hashedPasswordFile = config.sops.secrets.rootpassword.path;
     # Disable root
-    users.users."root".hashedPassword = mkIf config.secrets.enablePassword "*";
-    systemd.enableEmergencyMode = mkIf config.secrets.enablePassword false; # this makes no sense with root password disabled
+    users.users."root".hashedPassword = mkIf cfg.enablePassword "*";
+    systemd.enableEmergencyMode = mkIf cfg.enablePassword false; # this makes no sense with root password disabled
     ignoredWarnings = [
       "The user '${username}' has multiple of the options\n`hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword`\n& `initialHashedPassword` set to a non-null value.\nThe options silently discard others by the order of precedence\ngiven above which can lead to surprising results. To resolve this warning,\nset at most one of the options above to a non-`null` value.\n"
       "The user 'root' has multiple of the options\n`hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword`\n& `initialHashedPassword` set to a non-null value.\nThe options silently discard others by the order of precedence\ngiven above which can lead to surprising results. To resolve this warning,\nset at most one of the options above to a non-`null` value.\n"
     ];
 
-    environment.systemPackages = mkIf config.secrets.enable [ pkgs.sops ];
+    environment.systemPackages = [ pkgs.sops ];
 
     environment.persistence."/persist".files = mkIf config.modules.sysconf.impermanence.enable [
       "/etc/ssh/id_ed25519_age"