automatically import secrets into nixos

nixosModules/flake-module.nix

@@ -1,6 +1,10 @@
-{ ... }: {
+{ inputs, ... }: {
   flake.nixosModules = {
     hidden-ssh-announce.imports = [ ./hidden-ssh-announce.nix ];
-    installer.imports = [ ./installer.nix ];
+    installer.imports = [ ./installer ];
+    secrets.imports = [
+      inputs.sops-nix.nixosModules.sops
+      ./secrets
+    ];
   };
 }

nixosModules/secrets/default.nix

@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  encryptedForThisMachine = name: type:
+    let
+      symlink = config.clan.sops.sopsDirectory + "/secrets/${name}/machines/${config.clan.sops.machineName}";
+    in
+    # WTF, nix bug, my symlink is in the nixos module detected as a directory also it works in the repl
+    type == "directory" && (builtins.readFileType symlink == "directory" || builtins.readFileType symlink == "symlink");
+  secrets = lib.filterAttrs encryptedForThisMachine (builtins.readDir (config.clan.sops.sopsDirectory + "/secrets"));
+in
+{
+  imports = [
+  ];
+  options = {
+    clan.sops = {
+      machineName = lib.mkOption {
+        type = lib.types.str;
+        default = config.networking.hostName;
+        description = ''
+          Machine used to lookup secrets in the sops directory.
+        '';
+      };
+      sopsDirectory = lib.mkOption {
+        type = lib.types.path;
+        description = ''
+          Sops toplevel directory that stores users, machines, groups and secrets.
+        '';
+      };
+    };
+  };
+  config = {
+    sops.secrets = builtins.mapAttrs
+      (name: _: {
+        sopsFile = config.clan.sops.sopsDirectory + "/secrets/${name}/secret";
+        format = "binary";
+      })
+      secrets;
+  };
+}