sops: Read age public-keys from files

2026-01-21 12:51:34 +01:00 · 2025-12-25 20:23:03 +01:00 · 2025-12-25 20:23:03 +01:00 · 10362bd42b
commit 10362bd42b
parent de16ca49e8
11 changed files with 11 additions and 21 deletions
--- a/hosts/desktop/default.nix
+++ b/hosts/desktop/default.nix
@ -10,10 +10,7 @@
  boot.kernelPackages = pkgs.linuxPackages_latest;

  custom = {
-    sops = {
-      enable = true;
-      agePublicKey = "age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc";
-    };
+    sops.enable = true;

    boot = {
      loader.systemd-boot.enable = true;
--- a/hosts/desktop/keys/age.pub
+++ b/hosts/desktop/keys/age.pub
@ -0,0 +1 @@
+age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc
--- a/hosts/laptop/default.nix
+++ b/hosts/laptop/default.nix
@ -10,10 +10,7 @@
  boot.kernelPackages = pkgs.linuxPackages_latest;

  custom = {
-    sops = {
-      enable = true;
-      agePublicKey = "age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e";
-    };
+    sops.enable = true;

    boot = {
      loader.systemd-boot.enable = true;
--- a/hosts/laptop/keys/age.pub
+++ b/hosts/laptop/keys/age.pub
@ -0,0 +1 @@
+age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e
--- a/hosts/vps-monitor/default.nix
+++ b/hosts/vps-monitor/default.nix
@ -16,10 +16,7 @@
  custom = {
    persistence.enable = true;

-    sops = {
-      enable = true;
-      agePublicKey = "age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994";
-    };
+    sops.enable = true;

    boot.loader.grub.enable = true;

--- a/hosts/vps-monitor/keys/age.pub
+++ b/hosts/vps-monitor/keys/age.pub
@ -0,0 +1 @@
+age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994
--- a/hosts/vps-private/default.nix
+++ b/hosts/vps-private/default.nix
@ -16,10 +16,7 @@
  custom = {
    persistence.enable = true;

-    sops = {
-      enable = true;
-      agePublicKey = "age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69";
-    };
+    sops.enable = true;

    boot.loader.systemd-boot.enable = true;

--- a/hosts/vps-private/keys/age.pub
+++ b/hosts/vps-private/keys/age.pub
@ -0,0 +1 @@
+age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69
--- a/hosts/vps-public/default.nix
+++ b/hosts/vps-public/default.nix
@ -16,10 +16,7 @@
  custom = {
    persistence.enable = true;

-    sops = {
-      enable = true;
-      agePublicKey = "age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh";
-    };
+    sops.enable = true;

    boot.loader.systemd-boot.enable = true;

--- a/hosts/vps-public/keys/age.pub
+++ b/hosts/vps-public/keys/age.pub
@ -0,0 +1 @@
+age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh
--- a/modules/system/sops.nix
+++ b/modules/system/sops.nix
@ -17,7 +17,7 @@ in
    enable = lib.mkEnableOption "";
    agePublicKey = lib.mkOption {
      type = lib.types.nonEmptyStr;
-      default = "";
+      default = "${self}/hosts/${config.networking.hostName}/keys/age.pub" |> lib.readFile |> lib.trim;
    };
    secretsFile = lib.mkOption {
      type = lib.types.nonEmptyStr;
				`@ -0,0 +1 @@`
				`age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc`
				`@ -0,0 +1 @@`
				`age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e`
				`@ -0,0 +1 @@`
				`age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994`
				`@ -0,0 +1 @@`
				`age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69`
				`@ -0,0 +1 @@`
				`age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh`