Secrets! Thanks to arc.

config/common/default.nix

@@ -24,6 +24,12 @@ in {
     trustedUsers = [ "root" "@wheel" ];
   };
 
+  secrets = {
+    root = "/var/lib/kat/secrets";
+    persistentRoot = "/var/lib/kat/secrets";
+    external = true;
+  };
+
   services.journald.extraConfig = "SystemMaxUse=512M";
 
   environment.variables = {

config/users/kat/default.nix

@@ -24,6 +24,10 @@
 
   home-manager.useGlobalPkgs = true;
   home-manager.users.kat = {
+    imports = [ 
+      ./modules
+    ];
+    
     programs.fish = {
       enable = true;
       shellAliases = { nixdirfmt = "fd --color=never .nix | xargs nixfmt"; };

config/users/kat/modules/default.nix

@@ -0,0 +1,7 @@
+{ ... }: 
+let sources = import ../../../../nix/sources.nix;  
+in {
+    imports = [
+        (sources.tf-nix + "/modules/home/secrets.nix")    
+    ];
+}

modules/default.nix

@@ -1,4 +1,10 @@
 { ... }:
 
-let sources = import ../nix/sources.nix;
-in { imports = [ ./deploy ]; }
+ let sources = import ../nix/sources.nix;  in 
+ { 
+    imports = [ 
+        ./deploy 
+        (sources.tf-nix + "/modules/nixos/secrets.nix")    
+        (sources.tf-nix + "/modules/nixos/secrets-users.nix")   
+    ]; 
+}

modules/deploy/default.nix

@@ -3,7 +3,15 @@
 with lib;
 
 let cfg = config.meta.deploy;
-
+secretsScript = concatMapStrings (file: ''
+  ssh $NIX_SSHOPTS ${cfg.ssh.host} '
+  sudo mkdir -p ${toString file.out.dir}
+  echo \\"
+  ${file.text}
+  " | sudo tee ${file.path}
+  sudo chmod ${file.mode} ${file.path}
+  sudo chown ${file.owner}:${file.group} ${file.path}'
+'') (attrValues config.secrets.files);
 in {
   options = {
     meta.deploy = {
@@ -42,6 +50,7 @@ in {
         nix copy ${
           if cfg.substitute then "-s" else ""
         } --no-check-sigs --to ssh://${cfg.ssh.host} ${config.system.build.toplevel}
+        ${secretsScript}
         ssh $NIX_SSHOPTS ${cfg.ssh.host} "sudo nix-env -p /nix/var/nix/profiles/system -i ${config.system.build.toplevel}" 
         ssh $NIX_SSHOPTS ${cfg.ssh.host} "sudo /nix/var/nix/profiles/system/bin/switch-to-configuration $1" 
       '';

nix/sources.json

@@ -117,5 +117,17 @@
         "type": "tarball",
         "url": "https://git.qyliss.net/nixlib/snapshot/nixlib-e14330c5be9b005d4310cd4dc0d384cff882aedc.tar.gz",
         "url_template": "https://git.qyliss.net/nixlib/snapshot/nixlib-<rev>.tar.gz"
+    },
+    "tf-nix": {
+        "branch": "master",
+        "description": "terraform meets nix",
+        "homepage": null,
+        "owner": "arcnmx",
+        "repo": "tf-nix",
+        "rev": "32dae16c0aaba3412905bd80968888a767071808",
+        "sha256": "1c0vg42j096jp65b6indynh2y77xfv8nrfrnbv4llxfjsmd6w3lq",
+        "type": "tarball",
+        "url": "https://github.com/arcnmx/tf-nix/archive/32dae16c0aaba3412905bd80968888a767071808.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }

todo.org

@@ -3,10 +3,7 @@
 ** TODO Move virtual machine config into nixfiles
 ** TODO Add dork.dev to mailserver
 ** TODO Set up proper user service for scream
-** TODO Secrets handling
 
 * Secrets handling
 
 ** TODO Bitwarden integration for secrets obtainment
-** TODO Secrets transposition service
-** TODO Config delivery + permissions service