{ pkgs, lib, config, ... }: let inherit (config.security) pass; rootKey = "root/key"; in { imports = [ # ]; security.pass = { store = ../../../sec/pass/servers/mermet; secrets."${rootKey}" = { # Symmetrically decrypt and load the rootKey into root's gnupg secret keyring. postStart = '' ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \ --passphrase-file /${rootKey}.pass \ --import '${pass.secrets."${rootKey}".path}' shred -u '${pass.secrets."${rootKey}".path}' ''; }; }; install.ssh-nixos = { PATH = with pkgs; [gnupg openssh]; # Decrypt the rootKey passphrase and send it to the target host. script = lib.mkBefore '' gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' | ssh '${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass ''; }; systemd.services = lib.mapAttrs' (target: secret: # Start the rootKey service before the other services decrypting secrets. lib.nameValuePair (lib.removeSuffix ".service" secret.service) (lib.optionalAttrs (target != "${rootKey}") { after = [ pass.secrets."${rootKey}".service ]; wants = [ pass.secrets."${rootKey}".service ]; }) ) pass.secrets; }