refactor clanCore.secrets -> clanCore.facts

nixosModules/clanCore/facts/secret/password-store.nix

@@ -0,0 +1,15 @@
+{ config, lib, ... }:
+{
+  options.clan.password-store.targetDirectory = lib.mkOption {
+    type = lib.types.path;
+    default = "/etc/secrets";
+    description = ''
+      The directory where the password store is uploaded to.
+    '';
+  };
+  config = lib.mkIf (config.clanCore.facts.secretStore == "password-store") {
+    clanCore.facts.secretDirectory = config.clan.password-store.targetDirectory;
+    clanCore.facts.secretUploadDirectory = config.clan.password-store.targetDirectory;
+    clanCore.facts.secretModule = "clan_cli.facts.secret_modules.password_store";
+  };
+}

nixosModules/clanCore/facts/secret/sops.nix

@@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  secretsDir = config.clanCore.clanDir + "/sops/secrets";
+  groupsDir = config.clanCore.clanDir + "/sops/groups";
+
+  # My symlink is in the nixos module detected as a directory also it works in the repl. Is this because of pure evaluation?
+  containsSymlink =
+    path:
+    builtins.pathExists path
+    && (builtins.readFileType path == "directory" || builtins.readFileType path == "symlink");
+
+  containsMachine =
+    parent: name: type:
+    type == "directory" && containsSymlink "${parent}/${name}/machines/${config.clanCore.machineName}";
+
+  containsMachineOrGroups =
+    name: type:
+    (containsMachine secretsDir name type)
+    || lib.any (
+      group: type == "directory" && containsSymlink "${secretsDir}/${name}/groups/${group}"
+    ) groups;
+
+  filterDir =
+    filter: dir:
+    lib.optionalAttrs (builtins.pathExists dir) (lib.filterAttrs filter (builtins.readDir dir));
+
+  groups = builtins.attrNames (filterDir (containsMachine groupsDir) groupsDir);
+  secrets = filterDir containsMachineOrGroups secretsDir;
+in
+{
+  options = {
+    clanCore.sops.defaultGroups = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      example = [ "admins" ];
+      description = "The default groups to for encryption use when no groups are specified.";
+    };
+  };
+  config = lib.mkIf (config.clanCore.facts.secretStore == "sops") {
+    clanCore.facts.secretDirectory = "/run/secrets";
+    clanCore.facts.secretModule = "clan_cli.facts.secret_modules.sops";
+    clanCore.facts.secretUploadDirectory = lib.mkDefault "/var/lib/sops-nix";
+    sops.secrets = builtins.mapAttrs (name: _: {
+      sopsFile = config.clanCore.clanDir + "/sops/secrets/${name}/secret";
+      format = "binary";
+    }) secrets;
+    # To get proper error messages about missing secrets we need a dummy secret file that is always present
+    sops.defaultSopsFile = lib.mkIf config.sops.validateSopsFiles (
+      lib.mkDefault (builtins.toString (pkgs.writeText "dummy.yaml" ""))
+    );
+
+    sops.age.keyFile = lib.mkIf (builtins.pathExists (
+      config.clanCore.clanDir + "/sops/secrets/${config.clanCore.machineName}-age.key/secret"
+    )) (lib.mkDefault "/var/lib/sops-nix/key.txt");
+  };
+}

nixosModules/clanCore/facts/secret/vm.nix

@@ -0,0 +1,8 @@
+{ config, lib, ... }:
+{
+  config = lib.mkIf (config.clanCore.facts.secretStore == "vm") {
+    clanCore.facts.secretDirectory = "/etc/secrets";
+    clanCore.facts.secretUploadDirectory = "/etc/secrets";
+    clanCore.facts.secretModule = "clan_cli.facts.secret_modules.vm";
+  };
+}