feat: modularize secrets

flake.nix

@@ -71,10 +71,9 @@
     ...
   } @ inputs:
     {
-      secrets = {
+      secretsConfig = {
         masterIdentities = [./secrets/NIXOSc.key.pub];
         extraEncryptionPubkeys = [./secrets/recipients.txt];
-        content = import ./nix/secrets.nix inputs;
       };
 
       hosts = {

hosts/common/core/default.nix

@@ -8,6 +8,8 @@
     ./system.nix
     ./xdg.nix
     ./impermanence.nix
+
+    ../../../nix/secrets.nix
   ];
 
   home-manager = {

hosts/common/core/nix.nix

@@ -28,11 +28,9 @@
     daemonIOSchedPriority = 5;
     distributedBuilds = true;
     extraOptions = ''
-            builders-use-substitutes = true
+      builders-use-substitutes = true
-            experimental-features = nix-command flakes recursive-nix
+      experimental-features = nix-command flakes recursive-nix
-            flake-registry = /etc/nix/registry.json
+      flake-registry = /etc/nix/registry.json
-            plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
-      extra-builtins-file = ${../../..}/nix/extra-builtins.nix
     '';
     optimise.automatic = true;
     gc = {

hosts/common/core/system.nix

@@ -8,7 +8,7 @@
 }: {
   rekey = {
     inherit
-      (inputs.self.secrets)
+      (inputs.self.secretsConfig)
       masterIdentities
       extraEncryptionPubkeys
       ;
@@ -57,4 +57,12 @@
   ];
 
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  secrets.secretFiles = let
+    local = nodePath + "/secrets/secrets.nix.age";
+  in
+    {
+      global = ../../../secrets/secrets.nix.age;
+    }
+    // lib.optionalAttrs (nodePath != null && lib.pathExists local) {inherit local;};
 }

hosts/patricknix/net.nix

@@ -1,10 +1,10 @@
 {
-  nodeSecrets,
   nodePath,
+  config,
   ...
 }: {
   networking = {
-    inherit (nodeSecrets.networking) hostId;
+    inherit (config.secrets.secrets.local.networking) hostId;
     wireless.iwd.enable = true;
     # Add the VPN based route to my paperless instance to
     # etc/hosts
@@ -19,15 +19,15 @@
   systemd.network.networks = {
     "01-lan1" = {
       DHCP = "yes";
-      matchConfig.MACAddress = nodeSecrets.networking.lan1.mac;
+      matchConfig.MACAddress = config.secrets.secrets.local.networking.lan1.mac;
       networkConfig.IPv6PrivacyExtensions = "yes";
-      gateway = [nodeSecrets.networking.fuckKoreanDorm.gateway];
+      gateway = [config.secrets.secrets.local.networking.fuckKoreanDorm.gateway];
-      address = [nodeSecrets.networking.fuckKoreanDorm.address];
+      address = [config.secrets.secrets.local.networking.fuckKoreanDorm.address];
       dns = ["9.9.9.9"];
     };
     "01-wlan1" = {
       DHCP = "yes";
-      matchConfig.MACAddress = nodeSecrets.networking.wlan1.mac;
+      matchConfig.MACAddress = config.secrets.secrets.local.networking.wlan1.mac;
       networkConfig.IPv6PrivacyExtensions = "yes";
       # TODO: change dns to own when at hom
       dns = ["9.9.9.9"];

nix/generate-node.nix

@@ -9,7 +9,15 @@
   agenix-rekey,
   hyprland,
   ...
-} @ inputs: nodeName: nodeMeta: {
+} @ inputs: nodeName: {configPath ? null, ...} @ nodeMeta: let
+  path = ../hosts + "/${nodeName}/";
+  nodePath =
+    if configPath == null && builtins.isPath path && nixpkgs.lib.pathIsDirectory path
+    then path
+    else if configPath != null
+    then configPath
+    else null;
+in {
   inherit (nodeMeta) system;
   pkgs = self.pkgs.${nodeMeta.system};
   specialArgs = {
@@ -19,23 +27,16 @@
     inherit nodeName;
     inherit nodeMeta;
     inherit hyprland;
-    nodePath = ../hosts + "/${nodeName}/";
+    inherit nodePath;
-    secrets = self.secrets.content;
-    nodeSecrets = self.secrets.content.nodes.${nodeName};
     nixos-hardware = nixos-hardware.nixosModules;
     impermanence = impermanence.nixosModules;
   };
-  imports = [
+  imports =
-    (../hosts + "/${nodeName}")
+    [
-    home-manager.nixosModules.default
+      home-manager.nixosModules.default
-    impermanence.nixosModules.impermanence
+      impermanence.nixosModules.impermanence
-    agenix.nixosModules.default
+      agenix.nixosModules.default
-    agenix-rekey.nixosModules.default
+      agenix-rekey.nixosModules.default
-    #]
+    ]
-    #++ optionals nodeMeta.microVmHost [
+    ++ nixpkgs.lib.optional (nodePath != null) nodePath;
-    #  microvm.nixosModules.host
-    #]
-    #++ optionals (nodeMeta.type == "microvm") [
-    #  microvm.nixosModules.microvm
-  ];
 }

nix/secrets.nix

@@ -1,24 +1,19 @@
-# This file manages access to repository-secrets. Anything that is technically
-# not a secret on your hosts, but something you want to keep secret from the public.
-# Anything you don't want people to see on GitHub that isn't a password or encrypted
-# using agenix.
-#
-# All of these secrets may (and probably will be) put into the world-readable nix-store
-# on the build and target hosts. You'll most likely want to store personally identifiable
-# information here, such as:
-#   - MAC Addreses
-#   - Static IP addresses
-#   - Your full name (when configuring e.g. users)
-#   - Your postal address (when configuring e.g. home-assistant)
-#   - ...
 {
-  self,
+  lib,
-  nixpkgs,
+  pkgs,
+  inputs,
+  config,
   ...
-} @ inputs: let
+}: let
   inherit
-    (nixpkgs.lib)
+    (lib)
     mapAttrs
+    assertMsg
+    types
+    mkOption
+    mdDoc
+    mkIf
+    literalExpression
     ;
   # If the given expression is a bare set, it will be wrapped in a function,
   # so that the imported file can always be applied to the inputs, similar to
@@ -27,17 +22,53 @@
     if builtins.isAttrs x
     then (_: x)
     else x;
+
+  rageImportEncrypted = assert assertMsg (builtins ? extraBuiltins.rageImportEncrypted) "The rageImportEncrypted extra plugin is not loaded";
+    builtins.extraBuiltins.rageImportEncrypted;
   # This "imports" an encrypted .nix.age file
   importEncrypted = path:
     constSet (
       if builtins.pathExists path
-      then builtins.extraBuiltins.rageImportEncrypted self.secrets.masterIdentities path
+      then builtins.extraBuiltins.rageImportEncrypted inputs.self.secretsConfig.masterIdentities path
       else {}
     );
-in
+  cfg = config.secrets;
-  # this exposes all secrets in the repository secert file to the flake output
+in {
-  (importEncrypted ../secrets/secrets.nix.age inputs)
+  options.secrets = {
-  // {
+    defineRageBuiltins = mkOption {
-    # this exposes host specific secrets
+      default = true;
-    nodes = mapAttrs (hostName: _: importEncrypted ../hosts/${hostName}/secrets/secrets.nix.age inputs) self.hosts;
+      type = types.bool;
-  }
+      description = mdDoc ''
+        Add nix plugins and the extra builtins file to the nix config
+        Enabling this host to decrypt secret when deploying
+      '';
+    };
+
+    secretFiles = mkOption {
+      default = {};
+      type = types.attrsOf types.path;
+      example = literalExpression "{ local = ./secrets.nix.age; }";
+      description = mdDoc ''
+        Files containg secrets for this host.
+        As these will end up in the nix store of the host use this for
+        secrets that can be publicly known on the host but should be private
+        in the repository
+      '';
+    };
+
+    secrets = mkOption {
+      readOnly = true;
+      default =
+        mapAttrs (_: x: importEncrypted x inputs) cfg.secretFiles;
+      description = mdDoc ''
+        the secrets decrypted from the secretFiles
+      '';
+    };
+  };
+  config = {
+    nix.extraOptions = mkIf cfg.defineRageBuiltins ''
+            plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
+      extra-builtins-file = ${./.}/extra-builtins.nix
+    '';
+  };
+}