32 lines
1 KiB
Nix
32 lines
1 KiB
Nix
{
|
|
inputs,
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
homeKeys =
|
|
if pkgs.stdenv.isDarwin then
|
|
"/Users/${config.home.username}/Library/Application Support/sops/age/keys.txt"
|
|
else
|
|
"/home/${config.home.username}/.config/sops/age/keys.txt";
|
|
in
|
|
lib.mkMerge [
|
|
{
|
|
home.ensureDirs."${builtins.dirOf homeKeys}".mode = "0700";
|
|
sops = {
|
|
age.keyFile = "/home/user/.age-key.txt"; # must have no password!
|
|
# deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
|
|
};
|
|
}
|
|
# linux machines: assumption: there is an OpenSSH server of which we are able to use the hostkey, like at the NixOS module. The `keyDir` is only used for the private admin key.
|
|
(lib.mkIf pkgs.stdenv.isLinux {
|
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
})
|
|
|
|
# darwin: no SSH server, no hostkey => let's use the `keyDir` key both for encryption and decrpytion
|
|
(lib.mkIf pkgs.stdenv.isDarwin {
|
|
sops.age.keyFile = homeKeys;
|
|
})
|
|
]
|