{ lib, config, userSettings, ... }: { options = { sys.security.sops.enable = lib.mkEnableOption "Enable SOPS"; }; config = lib.mkIf config.sys.security.sops.enable { sops = { defaultSopsFile = ./secrets/secrets.yaml; defaultSopsFormat = "yaml"; age.keyFile = "/home/${userSettings.username}/.config/sops/age/keys.txt"; age.generateKey = true; # SSH private keys secrets = { "${userSettings.hostname}/password-hash" = { neededForUsers = true; }; "longinus_spear" = { owner = userSettings.username; group = "users"; }; "cassius_spear" = { owner = userSettings.username; group = "users"; }; "ssh_keys/masaoka_private" = { path = "/home/${userSettings.username}/.ssh/id_masaoka"; owner = userSettings.username; group = "users"; }; # git.hater.dev "ssh_keys/hater_private" = { path = "/home/${userSettings.username}/.ssh/id_shinya3"; owner = userSettings.username; group = "users"; }; # gitea.homework.zip "ssh_keys/homework_private" = { path = "/home/${userSettings.username}/.ssh/id_homework"; owner = userSettings.username; group = "users"; }; "wakapi/salt" = { owner = userSettings.username; group = "users"; }; #"${userSettings.hostname}/syncthing" = { # owner = userSettings.username; # group = "users"; #}; }; templates = { #"syncthing-password".content = ''${config.sops.placeholder."${userSettings.hostname}/syncthing"}''; "yubikey-id".content = ''${config.sops.placeholder.longinus_spear}''; "yubikey-id2".content = ''${config.sops.placeholder.cassius_spear}''; }; }; # Password hash users.users.${userSettings.username}.hashedPasswordFile = "${config.sops.secrets."${userSettings.hostname}/password-hash".path}"; # YubiKey IDs security.pam.yubico.id = [] ++ ( if config.program.yubikey.enable then [ config.sops.templates."yubikey-id".content config.sops.templates."yubikey-id2".content ] else [] ); # Syncthing password #services.syncthing.settings.gui.password = config.sops.templates."syncthing-password".content; services.wakapi.passwordSaltFile = "${config.sops.secrets."wakapi/salt".path}"; }; }