{...}: { services.secrets = { enable = true; vaultURL = "http://127.0.0.1:8200"; vaultLogin = { enable = true; loginUsername = "vault"; }; autoSecrets = { # won't work when sealed enable = false; }; requiredVaultPaths = [ "private-public-keys/data/ssh/root@vault" "private-public-keys/data/ssh/root@vault-decrypt" "private-public-keys/data/restic/Vault" "api-keys/data/storage/restic/Vault" ]; secrets = { vault_password = { manual = true; }; ssh_host_ed25519_key = { path = "/etc/ssh/ssh_host_ed25519_key"; permissions = "600"; fetchScript = '' [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/" simple_get "/private-public-keys/ssh/root@vault" .private | base64 -d > "$secretFile" ''; }; ssh_host_ed25519_key_pub = { path = "/etc/ssh/ssh_host_ed25519_key.pub"; permissions = "600"; fetchScript = '' [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/" simple_get "/private-public-keys/ssh/root@vault" .private | base64 -d > "$secretFile" ''; }; # this doesn't need to be a secret and can be generated at install time # but it makes it easier to install. # it's stored in /nix store anyway initrd_ssh_host_ed25519_key = { path = "/initrd_ssh_host_ed25519_key"; permissions = "600"; fetchScript = '' simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 -d > "$secretFile" ''; }; restic_password = { fetchScript = '' simple_get "/private-public-keys/restic/Vault" .password > "$secretFile" ''; }; restic_env = { fetchScript = '' RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Vault" .username) RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .password) echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile" ''; }; }; }; }