diff --git a/modules/nixos/sysconf/secrets.nix b/modules/nixos/sysconf/secrets.nix index bd5b6a4..daf089c 100644 --- a/modules/nixos/sysconf/secrets.nix +++ b/modules/nixos/sysconf/secrets.nix @@ -7,6 +7,9 @@ ... }: with lib; +let + cfg = config.secrets; +in { imports = [ inputs.sops-nix.nixosModules.sops ]; options.secrets = { @@ -26,14 +29,14 @@ with lib; }; }; config = { - sops = mkIf config.secrets.enable { - defaultSopsFile = mkIf config.secrets.enable "/persist/dotfiles/secrets/secrets.yaml"; + sops = mkIf cfg.enable { + defaultSopsFile = "/persist/dotfiles/secrets/secrets.yaml"; # non existent path #https://github.com/Mic92/sops-nix/issues/167 - gnupg.sshKeyPaths = mkIf config.secrets.enable [ ]; + gnupg.sshKeyPaths = [ ]; # This will automatically import SSH keys as age keys # Don't forget to copy key there - age.sshKeyPaths = mkIf config.secrets.enable [ "/persist/etc/ssh/id_ed25519_age" ]; - secrets.userpassword = mkIf config.secrets.enablePassword { + age.sshKeyPaths = [ "/persist/etc/ssh/id_ed25519_age" ]; + secrets.userpassword = mkIf cfg.enablePassword { neededForUsers = true; sopsFile = ../../../secrets/userpassword.yaml; }; @@ -43,9 +46,9 @@ with lib; owner = username; }; }; - users.users."${config.var.username}" = { - hashedPasswordFile = mkIf config.secrets.enablePassword config.sops.secrets.userpassword.path; - password = mkIf config.secrets.enablePassword (mkForce null); + users.users."${config.var.username}" = mkIf cfg.enablePassword { + hashedPasswordFile = config.sops.secrets.userpassword.path; + password = mkForce null; }; # sops.secrets.rootpassword = { # neededForUsers = true; @@ -53,14 +56,14 @@ with lib; # }; # users.users."root".hashedPasswordFile = config.sops.secrets.rootpassword.path; # Disable root - users.users."root".hashedPassword = mkIf config.secrets.enablePassword "*"; - systemd.enableEmergencyMode = mkIf config.secrets.enablePassword false; # this makes no sense with root password disabled + users.users."root".hashedPassword = mkIf cfg.enablePassword "*"; + systemd.enableEmergencyMode = mkIf cfg.enablePassword false; # this makes no sense with root password disabled ignoredWarnings = [ "The user '${username}' has multiple of the options\n`hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword`\n& `initialHashedPassword` set to a non-null value.\nThe options silently discard others by the order of precedence\ngiven above which can lead to surprising results. To resolve this warning,\nset at most one of the options above to a non-`null` value.\n" "The user 'root' has multiple of the options\n`hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword`\n& `initialHashedPassword` set to a non-null value.\nThe options silently discard others by the order of precedence\ngiven above which can lead to surprising results. To resolve this warning,\nset at most one of the options above to a non-`null` value.\n" ]; - environment.systemPackages = mkIf config.secrets.enable [ pkgs.sops ]; + environment.systemPackages = [ pkgs.sops ]; environment.persistence."/persist".files = mkIf config.modules.sysconf.impermanence.enable [ "/etc/ssh/id_ed25519_age"