feat: data-crypted

2026-01-11 22:30:25 +01:00 · 2024-08-16 22:42:13 +08:00
parent df1f9b0070
commit d853036fb1
5 changed files with 89 additions and 33 deletions
--- a/secrets/nixos.nix
+++ b/secrets/nixos.nix
@@ -35,6 +35,7 @@ in {
    server.operation.enable = mkEnableOption "NixOS Secrets for Operation Servers(Backup, Monitoring, etc)";
    server.kubernetes.enable = mkEnableOption "NixOS Secrets for Kubernetes";
    server.webserver.enable = mkEnableOption "NixOS Secrets for Web Servers(contains tls cert keys)";
+    server.storage.enable = mkEnableOption "NixOS Secrets for HDD Data's LUKS Encryption";

    impermanence.enable = mkEnableOption "whether use impermanence and ephemeral root file system";
  };
@@ -249,5 +250,24 @@ in {
          };
        };
      })
+
+      (mkIf cfg.server.storage.enable {
+        age.secrets = {
+          "hdd-luks-crypt-key" = {
+            file = "${mysecrets}/hdd-luks-crypt-key.age";
+            mode = "0400";
+            owner = "root";
+          };
+        };
+
+        # place secrets in /etc/
+        environment.etc = {
+          "agenix/hdd-luks-crypt-key" = {
+            source = config.age.secrets."hdd-luks-crypt-key".path;
+            mode = "0400";
+            user = "root";
+          };
+        };
+      })
    ]);
 }