made nix-secrets input comment-out-able.

README.md

@@ -27,3 +27,7 @@ Each host *must* import `configs/nixos/common.nix` in the top level and `configs
 Each host *must also* define the variables declared in `modules/hostopts.nix`.
 * Modules are always imported by the respective common.nix. They each have an enable option, and only have effects if enabled.
 * Roles are larger bundles of software and options. They define packages to be installed and may import configurations or enable modules.
+
+## Secrets
+This repo uses nix-sops for secrets management, with the encrypted secrets being stored in a private repo imported as an input.
+if the `nix-secrets` input is commented out, the repo should still build, gracefully degrading to default, non-secret, values.

configs/home-manager/email.nix

@@ -24,7 +24,7 @@
 
   programs.himalaya.enable = true;
 
-  accounts.email.accounts.gmail = {
+  accounts.email.accounts.gmail = lib.mkIf (lib.hasAttrByPath ["sops" "secrets" "gmail-password"] config) {
     address = "gabevenberg@gmail.com";
     primary = true;
     flavor = "gmail.com";

configs/home-manager/secrets.nix

@@ -5,15 +5,17 @@
   pkgs,
   ...
 }: let
-  secretsDirectory = builtins.toString inputs.nix-secrets;
+  secretsDirectory = builtins.toString (inputs.nix-secrets or "");
 in {
-  sops = {
+  config = lib.mkIf (inputs ? nix-secrets) {
-    defaultSopsFile = "${secretsDirectory}/common.yaml";
+    sops = {
-    validateSopsFiles = false;
+      defaultSopsFile = "${secretsDirectory}/common.yaml";
-    age = {
+      validateSopsFiles = false;
-      sshKeyPaths = ["${config.home.homeDirectory}/.ssh/id_ed25519"];
+      age = {
-      keyFile = "${config.home.homeDirectory}/.config/sops-nix/key.txt";
+        sshKeyPaths = ["${config.home.homeDirectory}/.ssh/id_ed25519"];
-      generateKey = true;
+        keyFile = "${config.home.homeDirectory}/.config/sops-nix/key.txt";
+        generateKey = true;
+      };
     };
   };
 }

configs/home-manager/tiny-irc.nix

@@ -29,7 +29,7 @@
             "#gamingonlinux"
             "##chat"
           ];
-          sasl = {
+          sasl = lib.mkIf (lib.hasAttrByPath ["sops" "secrets" "irc-cert"] config) {
             username = "toric";
             pem = config.sops.secrets.irc-cert.path;
           };

configs/nixos/common.nix

@@ -4,7 +4,10 @@
   inputs,
   lib,
   ...
-}: {
+}: let
+  # hash for "nixos"
+  defaultPasswordHash = "$y$j9T$u0O3PELyRv3GOemCReQhA0$Qb4Sl6dXnafYwZeDYrJGwS4xp3v6vGriWFMYomHH2w3";
+in {
   nix = {
     package = pkgs.nixFlakes;
     extraOptions = ''
@@ -40,15 +43,22 @@
 
   programs.zsh.enable = lib.mkDefault true;
   environment.shells = lib.mkDefault [pkgs.zsh];
-  users.mutableUsers = false;
+  # if we arent setting our password from nix secrets, we need to allow changing it.
+  users.mutableUsers = !inputs ? nix-secrets;
   users.users.${config.host.user} = {
     isNormalUser = true;
-    hashedPassword = lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash");
+    hashedPassword =
+      if inputs ? nix-secrets
+      then (lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"))
+      else defaultPasswordHash;
     description = config.host.fullName;
     shell = pkgs.zsh;
     extraGroups = ["wheel"];
   };
-  # users.users.root.password = lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash");
+  users.users.root.password =
+    if inputs ? nix-secrets
+    then (lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"))
+    else defaultPasswordHash;
 
   imports = [
     ../../modules/hostopts.nix

configs/nixos/secrets.nix

@@ -5,17 +5,20 @@
   pkgs,
   ...
 }: let
-  secretsDirectory = builtins.toString inputs.nix-secrets;
+  secretsDirectory = builtins.toString (inputs.nix-secrets or "");
 in {
   imports = [
     inputs.sops-nix.nixosModules.sops
   ];
-  sops = {
+  config = lib.mkIf (inputs ? nix-secrets) {
-    validateSopsFiles = false;
+    sops = {
-    age = {
+      defaultSopsFile = "${secretsDirectory}/common.yaml";
-      sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+      validateSopsFiles = false;
-      keyFile = "/var/lib/sops-nix/key.txt";
+      age = {
-      generateKey = true;
+        sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+        keyFile = "/var/lib/sops-nix/key.txt";
+        generateKey = true;
+      };
     };
   };
 }

configs/nixos/sshd.nix

@@ -16,8 +16,11 @@
     kitty.terminfo
   ];
 
-  users.users.root.openssh.authorizedKeys.keys =
+  users.users.root.openssh.authorizedKeys.keys = lib.mkDefault (
-    lib.mkDefault (configLib.dirToStrings "${inputs.nix-secrets}/public-keys");
+    if inputs ? nix-secrets
+    then (configLib.dirToStrings "${inputs.nix-secrets}/public-keys")
+    else []
+  );
   # if it can log into root, it should also be able to log in to the main user.
   users.users.${config.host.user}.openssh.authorizedKeys.keys =
     config.users.users.root.openssh.authorizedKeys.keys;

hosts/archlaptop-vm/default.nix

@@ -43,6 +43,7 @@ inputs.nixpkgs.lib.nixosSystem {
       home-manager.users.${config.host.user} = {
         inputs,
         osConfig,
+        lib,
         ...
       }: {
         host = osConfig.host;
@@ -59,11 +60,12 @@ inputs.nixpkgs.lib.nixosSystem {
           ../../roles/home-manager/terminal.nix
           ../../configs/home-manager/common.nix
           ../../configs/home-manager/email.nix
+          ../../configs/home-manager/tiny-irc.nix
           inputs.nixvim.homeManagerModules.nixvim
           ../../configs/home-manager/secrets.nix
         ];
 
-        sops = {
+        sops = lib.mkIf (inputs ? nix-secrets) {
           secrets = {
             gmail-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml";
             irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml";

hosts/home-personal.nix

@@ -41,7 +41,7 @@ inputs.home-manager.lib.homeManagerConfiguration {
         inputs.sops-nix.homeManagerModules.sops
       ];
 
-      sops = {
+      sops = lib.mkIf (inputs ? nix-secrets) {
         secrets = {
           gmail-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml";
           irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml";

hosts/home-workstation.nix

@@ -40,12 +40,12 @@ inputs.home-manager.lib.homeManagerConfiguration {
         ../roles/home-manager/terminal.nix
         ../configs/home-manager/common.nix
         ../configs/home-manager/syncthing.nix
-        ../../configs/home-manager/tiny-irc.nix
+        ../configs/home-manager/tiny-irc.nix
         ../configs/home-manager/secrets.nix
         inputs.sops-nix.homeManagerModules.sops
       ];
 
-      sops = {
+      sops = lib.mkIf (inputs?nix-secrets) {
         secrets = {
           irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml";
         };