Fix sops

modules/server/sops/default.nix

@@ -7,12 +7,11 @@ let
 in{
     sops.secrets = {
       CUSTOM = { 
-        mode = "0644";
+        mode = "0444";
         sopsFile = ./server.yaml; 
       };
     } // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
-      owner = "postgres";
+      mode = "0444";
-      mode = "0644";
       sopsFile = ./server.yaml;
     }));
 }

modules/shared/sops/default.nix

@@ -1,17 +1,28 @@
 { config, lib, pkgs, ... }:
 let
-  listNames = config.syscfg.server.db;
+  isCI = builtins.elem config.syscfg.hostname [ "ci" "sandbox" ];
-  containerNames = lib.mapAttrsToList (name: cfg: name) 
+  keyFilePath = (if isCI then
-    (lib.filterAttrs (name: cfg: ((cfg.db or false) || (cfg.sops or false))) config.syscfg.server.containers);
+    "/var/lib/sops-nix/mock-key.txt"
-  allApps = lib.unique (listNames ++ containerNames);
+  else
-in{
+    "/var/lib/sops-nix/age-key.txt");
-    sops.secrets = {
+  sopsFilePath = (if isCI then ./mock.yaml else ./common.yaml);
-      CUSTOM = { 
+in {
-        mode = "0444";
+  environment.systemPackages = with pkgs; [ sops ];
-        sopsFile = ./server.yaml; 
+  environment.sessionVariables.SOPS_AGE_KEY_FILE = keyFilePath;
+
+  sops.defaultSopsFile = sopsFilePath;
+  sops.age.keyFile = keyFilePath;
+  sops.age.generateKey = true;
+
+  sops.secrets = lib.mkMerge [
+  {
+    wifi = { };
+    "${config.syscfg.hostname}_ssh_priv" = {
+      mode = "0400";
+      owner = config.users.users.${config.syscfg.defaultUser}.name;
+      group = config.users.users.${config.syscfg.defaultUser}.group;
     };
-    } // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
+    "${config.syscfg.hostname}_wg_priv" = { };
-      mode = "0444";
+  }
-      sopsFile = ./server.yaml;
+];
-    }));
 }