start work on tui app and rework secrets system

2026-02-15 01:12:38 +04:00
parent a89275f163
commit 2a8a30fc14
12 changed files with 2031 additions and 103 deletions
--- a/nix/flakeModule.nix
+++ b/nix/flakeModule.nix
@@ -63,7 +63,7 @@ in
      secret_map = lib.mapAttrs (
        name: value:
        let
-          keys = lib.unique (
+          sopskeys = lib.unique (
            lib.flatten (map (k: per_host_keys.${k}) value.hosts)
            ++ (lib.optionals value.global all_keys)
            ++ cfg.masterKeys
@@ -76,35 +76,71 @@ in
            hosts
            global
            ;
-          inherit keys;
+          keys = value.keys or [ ];
+          inherit sopskeys;
        }
      ) secrets;
+
      rules = lib.mapAttrsToList (name: value: {
        path_regex = "${cfg.secretsDir}/${name}$";
-        key_groups = [ { age = value.keys; } ];
+        key_groups = [ { age = value.sopskeys; } ];
      }) secret_map;
-      sops_secrets_map = lib.concatMapAttrs (
-        name: value:
-        let
-          hasHost = (lib.elem "wawa" value.hosts) || value.global;
-        in
-        if hasHost then
-          {
-            ${name} = {
-              inherit (value) format neededForUsers;
-              sopsFile = inputs.self + "/${cfg.secretsDir}/${name}";
-            };
-          }
-        else
-          { }
-      ) secret_map;
+      sops_secrets_map =
+        host:
+        lib.mkMerge (
+          lib.mapAttrsToList (
+            name: value:
+            let
+              hasHost = (lib.elem host value.hosts) || value.global;
+              isYamlOrJson = value.format == "yaml" || value.format == "json";
+            in
+            (
+              (
+                [
+                  (
+                    if hasHost && !(isYamlOrJson && value.keys != [ ]) then
+                      {
+                        ${name} = {
+                          inherit (value) format neededForUsers;
+                          sopsFile = inputs.self + "/${cfg.secretsDir}/${name}";
+                        };
+                      }
+                    else
+                      { }
+                  )
+                ]
+                ++ (lib.map (v: {
+                  "${name}-${v}" = {
+                    inherit (value) format neededForUsers;
+                    sopsFile = inputs.self + "/${cfg.secretsDir}/${name}";
+                    key = v;
+                  };
+                }) value.keys)
+              )
+            )
+          ) secret_map
+        );
    in
    {
-      secrets.nixosModule =
-        { ... }:
-        {
-          config.sops.secrets = sops_secrets_map;
+      flake.secretsManifest = {
+        secretsDir = cfg.secretsDir;
+        masterKeys = cfg.masterKeys;
+        hosts = lib.mapAttrs (_: keys: { inherit keys; }) per_host_keys;
+        secrets = secret_map;
+        secrets_map = sops_secrets_map;
+      };
+      secrets.nixosModule = {
+        default = host: {
+          config = {
+            sops.secrets = sops_secrets_map host;
+          };
        };
+        network =
+          { config, ... }:
+          {
+            config.sops.secrets = sops_secrets_map config.networking.hostName;
+          };
+      };
      perSystem =
        { pkgs, self', ... }:
        let