cleanup secrets into different files and optional set user password etc

1 files changed, 9 insertions, 21 deletions

diff --git a/modules/root/secrets.nix b/modules/root/secrets.nix
index 045e3f4..38346b2 100644
--- a/modules/root/secrets.nix
+++ b/modules/root/secrets.nix
@@ -1,30 +1,18 @@
-{ pkgs, inputs, config, userDetails, ... }: {
+{ lib, pkgs, inputs, config, userDetails, ... }: {
 	imports = [ inputs.sops-nix.nixosModules.sops ];
 
 	sops = {
-		defaultSopsFile = ./resources/secrets/secrets.yaml;
 		defaultSopsFormat = "yaml";
-		age.keyFile = "${userDetails.home}/.config/sops/age/keys.txt";
+		age.sshKeyPaths = [ "${userDetails.home}/.ssh/id_ed25519" "/root/.ssh/id_ed25519" ];
 
 		secrets = {
-			wpa_supplicant-conf = { };
-			hashed-root-password = { };
-		};
-	};
-
-	# This service is a workaround to ensure that secrets are available on
-	# reboot when the secret keys are on a separate subvolume
-	systemd.services.npcnix-force-rebuild-sops-hack = {
-		wantedBy = [ "multi-user.target" ];
-		before = [
-			# List all services that require secrets
-			"wpa_supplicant.service"
-		];
-		serviceConfig = {
-			ExecStart = "/run/current-system/activate";
-			Type = "oneshot";
-			Restart = "on-failure"; # because oneshot
-			RestartSec = "10s";
+			wpa_supplicant-conf = lib.mkIf config.wifi.enable {
+				sopsFile = ./resources/secrets/wpa_supplicant-conf.yaml;
+			};
+			hashed-root-password = lib.mkIf config.users.setPassword.enable {
+				sopsFile = ./resources/secrets/hashed-root-password.yaml;
+				neededForUsers = true;
+			};
 		};
 	};
 }