From 8ea1a92e12f33a4ed6c886c5739e51c484769a7e Mon Sep 17 00:00:00 2001
From: Infinidoge <infinidoge@inx.moe>
Date: Wed, 24 Jan 2024 14:20:47 -0500
Subject: [PATCH] secrets: only decrypt explicitly declared secrets

---
 secrets/default.nix | 30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/secrets/default.nix b/secrets/default.nix
index 96228c9..968c11b 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -10,7 +10,7 @@ let
   filtered = (filterAttrs filterSecrets (builtins.readDir folder));
   secrets = mapAttrs' (n: v: nameValuePair (removeSuffix ".age" n) { file = toFile n; }) filtered;
 
-  setOwner = name: { owner = name; group = name; };
+  withOwner = name: secret: secret // { owner = name; group = name; };
 in
 {
   options = {
@@ -18,19 +18,17 @@ in
     secrets = mkOpt (attrsOf path) { };
   };
 
-  config = mkMerge [
-    {
-      age.secrets = mkIf config.modules.secrets.enable secrets;
-      secrets = mapAttrs (n: v: v.path) config.age.secrets;
-    }
-
-    # Set ownership of keys
-    (mkIf config.services.nginx.enable {
-      age.secrets."inx.moe.pem" = setOwner "nginx";
-      age.secrets."inx.moe.key" = setOwner "nginx";
-    })
-    (mkIf config.services.vaultwarden.enable {
-      age.secrets."vaultwarden" = setOwner "vaultwarden";
-    })
-  ];
+  config = mkIf config.modules.secrets.enable {
+    secrets = mapAttrs (n: v: v.path) config.age.secrets;
+    age.secrets = mkMerge [
+      { inherit (secrets) "infinidoge-password" "root-password" "binary-cache-private-key"; }
+      (mkIf config.services.nginx.enable {
+        "inx.moe.pem" = withOwner "nginx" secrets."inx.moe.pem";
+        "inx.moe.key" = withOwner "nginx" secrets."inx.moe.key";
+      })
+      (mkIf config.services.vaultwarden.enable {
+        "vaultwarden" = withOwner "vaultwarden" secrets."vaultwarden";
+      })
+    ];
+  };
 }