diff options
Diffstat (limited to 'infra/modules/base/secrets.nix')
| -rw-r--r-- | infra/modules/base/secrets.nix | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/infra/modules/base/secrets.nix b/infra/modules/base/secrets.nix new file mode 100644 index 0000000..3f81ea7 --- /dev/null +++ b/infra/modules/base/secrets.nix @@ -0,0 +1,28 @@ +{ inputs, ... }: +{ + flake.modules.nixos.base = + { config, lib, ... }: + { + imports = [ inputs.sops-nix.nixosModules.sops ]; + + sops = { + defaultSopsFile = ./secrets.yaml; + # Cannot use `/etc/host/` directly because then it will not load + # the secrets that are marked `neededForUsers` correctly. + age.sshKeyPaths = [ "${config.infra.persist.dir}/etc/ssh/ssh_host_ed25519_key" ]; + }; + + virtualisation.vmVariant = { + # Use the age key from the host (my development machine) to decrypt + # in the VMs. + # + # TODO: Rework this to use the host SSH key instead. + virtualisation.sharedDirectories.host-age = { + source = "/home/vkcku/.config/sops/age"; + target = "/run/sops/age"; + }; + + sops.age.keyFile = lib.mkForce "/run/sops/age/keys.txt"; + }; + }; +} |