sops: Turn secretsFile into an absolute path

flake-parts/sops.nix

@@ -10,13 +10,13 @@
     {
       packages.sops-config =
         let
-          adminKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5";
+          adminPublicKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5";
 
           mkCreationRule = sopsCfg: {
-            path_regex = sopsCfg.secretsFile;
+            path_regex = self.lib.relativePath sopsCfg.secretsFile;
             key_groups = lib.singleton {
               age = [
-                adminKey
+                adminPublicKey
                 sopsCfg.agePublicKey
               ];
             };

hosts/desktop/default.nix

@@ -10,10 +10,7 @@
   boot.kernelPackages = pkgs.linuxPackages_latest;
 
   custom = {
-    sops = {
+    sops.enable = true;
-      enable = true;
-      agePublicKey = "age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc";
-    };
 
     boot = {
       loader.systemd-boot.enable = true;

hosts/desktop/keys/age.pub

@@ -0,0 +1 @@
+age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc

hosts/laptop/default.nix

@@ -10,10 +10,7 @@
   boot.kernelPackages = pkgs.linuxPackages_latest;
 
   custom = {
-    sops = {
+    sops.enable = true;
-      enable = true;
-      agePublicKey = "age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e";
-    };
 
     boot = {
       loader.systemd-boot.enable = true;

hosts/laptop/keys/age.pub

@@ -0,0 +1 @@
+age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e

hosts/vps-monitor/default.nix

@@ -16,10 +16,7 @@
   custom = {
     persistence.enable = true;
 
-    sops = {
+    sops.enable = true;
-      enable = true;
-      agePublicKey = "age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994";
-    };
 
     boot.loader.grub.enable = true;
 

hosts/vps-monitor/keys/age.pub

@@ -0,0 +1 @@
+age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994

hosts/vps-private/default.nix

@@ -16,10 +16,7 @@
   custom = {
     persistence.enable = true;
 
-    sops = {
+    sops.enable = true;
-      enable = true;
-      agePublicKey = "age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69";
-    };
 
     boot.loader.systemd-boot.enable = true;
 

hosts/vps-private/keys/age.pub

@@ -0,0 +1 @@
+age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69

hosts/vps-public/default.nix

@@ -16,10 +16,7 @@
   custom = {
     persistence.enable = true;
 
-    sops = {
+    sops.enable = true;
-      enable = true;
-      agePublicKey = "age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh";
-    };
 
     boot.loader.systemd-boot.enable = true;
 

hosts/vps-public/keys/age.pub

@@ -0,0 +1 @@
+age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh

modules/system/services/nebula/default.nix

@@ -42,11 +42,11 @@ in
       default = if cfg.routableAddress != null then 47141 else null;
     };
 
-    pubPath = lib.mkOption {
+    publicKeyPath = lib.mkOption {
       type = lib.types.path;
       default = "${self}/hosts/${hostname}/keys/nebula.pub";
     };
-    certPath = lib.mkOption {
+    certificatePath = lib.mkOption {
       type = lib.types.path;
       default = "${self}/hosts/${hostname}/keys/nebula.crt";
     };
@@ -69,7 +69,7 @@ in
       enable = true;
 
       ca = ./ca.crt;
-      cert = cfg.certPath;
+      cert = cfg.certificatePath;
       key = config.sops.secrets."nebula/host-key".path;
 
       listen.port = cfg.routablePort;

modules/system/sops.nix

@@ -7,8 +7,6 @@
 }:
 let
   cfg = config.custom.sops;
-
-  absoluteSecretsPath = "${self}/${cfg.secretsFile}";
 in
 {
   imports = [ inputs.sops.nixosModules.sops ];
@@ -17,15 +15,15 @@ in
     enable = lib.mkEnableOption "";
     agePublicKey = lib.mkOption {
       type = lib.types.nonEmptyStr;
-      default = "";
+      default = "${self}/hosts/${config.networking.hostName}/keys/age.pub" |> lib.readFile |> lib.trim;
     };
     secretsFile = lib.mkOption {
-      type = lib.types.nonEmptyStr;
+      type = lib.types.path;
-      default = "hosts/${config.networking.hostName}/secrets.json";
+      default = "${self}/hosts/${config.networking.hostName}/secrets.json";
     };
     secrets = lib.mkOption {
       type = lib.types.anything;
-      default = absoluteSecretsPath |> lib.readFile |> lib.strings.fromJSON;
+      default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON;
     };
   };
 
@@ -34,7 +32,7 @@ in
       age.sshKeyPaths = [
         "${lib.optionalString config.custom.persistence.enable "/persist"}/etc/ssh/ssh_host_ed25519_key"
       ];
-      defaultSopsFile = absoluteSecretsPath;
+      defaultSopsFile = cfg.secretsFile;
     };
   };
 }