From 7af1f6a0b34841cb50fa581caf03614a9863c55e Mon Sep 17 00:00:00 2001
From: vkcku <git@mail.vkcku.com>
Date: Mon, 1 Jun 2026 12:28:47 +0530
Subject: infra: add secrets management to base module

monorepo-revid: 1a906a2a1a486db986b9daaa632328579da32522
---
 infra/modules/base/secrets.nix | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 infra/modules/base/secrets.nix

(limited to 'infra/modules/base/secrets.nix')

diff --git a/infra/modules/base/secrets.nix b/infra/modules/base/secrets.nix
new file mode 100644
index 0000000..3f81ea7
--- /dev/null
+++ b/infra/modules/base/secrets.nix
@@ -0,0 +1,28 @@
+{ inputs, ... }:
+{
+  flake.modules.nixos.base =
+    { config, lib, ... }:
+    {
+      imports = [ inputs.sops-nix.nixosModules.sops ];
+
+      sops = {
+        defaultSopsFile = ./secrets.yaml;
+        # Cannot use `/etc/host/` directly because then it will not load
+        # the secrets that are marked `neededForUsers` correctly.
+        age.sshKeyPaths = [ "${config.infra.persist.dir}/etc/ssh/ssh_host_ed25519_key" ];
+      };
+
+      virtualisation.vmVariant = {
+        # Use the age key from the host (my development machine) to decrypt
+        # in the VMs.
+        #
+        # TODO: Rework this to use the host SSH key instead.
+        virtualisation.sharedDirectories.host-age = {
+          source = "/home/vkcku/.config/sops/age";
+          target = "/run/sops/age";
+        };
+
+        sops.age.keyFile = lib.mkForce "/run/sops/age/keys.txt";
+      };
+    };
+}
-- 
cgit v1.3.1