diff --git a/modules/server/sops/default.nix b/modules/server/sops/default.nix index 5cec0d8..f19bada 100644 --- a/modules/server/sops/default.nix +++ b/modules/server/sops/default.nix @@ -7,12 +7,11 @@ let in{ sops.secrets = { CUSTOM = { - mode = "0644"; + mode = "0444"; sopsFile = ./server.yaml; }; } // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: { - owner = "postgres"; - mode = "0644"; + mode = "0444"; sopsFile = ./server.yaml; })); } diff --git a/modules/shared/sops/default.nix b/modules/shared/sops/default.nix index f19bada..b30caf6 100755 --- a/modules/shared/sops/default.nix +++ b/modules/shared/sops/default.nix @@ -1,17 +1,28 @@ { config, lib, pkgs, ... }: let - listNames = config.syscfg.server.db; - containerNames = lib.mapAttrsToList (name: cfg: name) - (lib.filterAttrs (name: cfg: ((cfg.db or false) || (cfg.sops or false))) config.syscfg.server.containers); - allApps = lib.unique (listNames ++ containerNames); -in{ - sops.secrets = { - CUSTOM = { - mode = "0444"; - sopsFile = ./server.yaml; - }; - } // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: { - mode = "0444"; - sopsFile = ./server.yaml; - })); + isCI = builtins.elem config.syscfg.hostname [ "ci" "sandbox" ]; + keyFilePath = (if isCI then + "/var/lib/sops-nix/mock-key.txt" + else + "/var/lib/sops-nix/age-key.txt"); + sopsFilePath = (if isCI then ./mock.yaml else ./common.yaml); +in { + environment.systemPackages = with pkgs; [ sops ]; + environment.sessionVariables.SOPS_AGE_KEY_FILE = keyFilePath; + + sops.defaultSopsFile = sopsFilePath; + sops.age.keyFile = keyFilePath; + sops.age.generateKey = true; + + sops.secrets = lib.mkMerge [ + { + wifi = { }; + "${config.syscfg.hostname}_ssh_priv" = { + mode = "0400"; + owner = config.users.users.${config.syscfg.defaultUser}.name; + group = config.users.users.${config.syscfg.defaultUser}.group; + }; + "${config.syscfg.hostname}_wg_priv" = { }; + } +]; }