make all age use conditional

2025-10-27 23:03:40 -05:00 · 2025-10-27 23:03:40 -05:00 · 3cb6fba59e
commit 3cb6fba59e
parent b2f0476412
8 changed files with 73 additions and 9 deletions
--- a/flakes/common/nix_modules/remote_lio_builds.nix
+++ b/flakes/common/nix_modules/remote_lio_builds.nix
@ -1,17 +1,26 @@
 {
  config,
+  lib,
  ...
 }:
+let
+  hasSecret =
+    secret:
+    let
+      secrets = config.age.secrets or { };
+    in
+    secrets ? ${secret} && secrets.${secret} != null;
+in
 {
  # Remote build off home lio computer
-  programs.ssh.extraConfig = ''
+  programs.ssh.extraConfig = lib.mkIf (hasSecret "nix2lio") ''
    Host lio_
      PubkeyAcceptedKeyTypes ssh-ed25519
      ServerAliveInterval 60
      IPQoS throughput
      IdentityFile ${config.age.secrets.nix2lio.path}
  '';
-  nix = {
+  nix = lib.mkIf (hasSecret "nix2lio") {
    distributedBuilds = true;
    buildMachines = [
      {
--- a/flakes/common/nix_modules/tailnet.nix
+++ b/flakes/common/nix_modules/tailnet.nix
@ -1,11 +1,20 @@
 {
  config,
  pkgs,
+  lib,
  ...
 }:
+let
+  hasSecret =
+    secret:
+    let
+      secrets = config.age.secrets or { };
+    in
+    secrets ? ${secret} && secrets.${secret} != null;
+in
 {
  environment.systemPackages = with pkgs; [ tailscale ];
-  services.tailscale = {
+  services.tailscale = lib.mkIf (hasSecret "headscale_auth") {
    enable = true;
    openFirewall = true;
    useRoutingFeatures = "client";
--- a/hosts/h001/containers/zitadel.nix
+++ b/hosts/h001/containers/zitadel.nix
@ -13,6 +13,13 @@ let
  hostAddress6 = "fc00::1";
  containerAddress6 = "fc00::3";

+  hasSecret =
+    secret:
+    let
+      secrets = config.age.secrets or { };
+    in
+    secrets ? ${secret} && secrets.${secret} != null;
+
  binds = [
    # Postgres data, must use postgres user in container and host
    {
@ -31,6 +38,7 @@ let
      uid = config.ids.uids.postgres;
      gid = config.ids.gids.postgres;
    }
+  ] ++ lib.optionals (hasSecret "zitadel_master_key") [
    # secret
    {
      host = config.age.secrets.zitadel_master_key.path;
--- a/hosts/h001/mods/nixarr.nix
+++ b/hosts/h001/mods/nixarr.nix
@ -1,7 +1,16 @@
 {
  config,
+  lib,
  ...
 }:
+let
+  hasSecret =
+    secret:
+    let
+      secrets = config.age.secrets or { };
+    in
+    secrets ? ${secret} && secrets.${secret} != null;
+in
 {
  config = {
    nixarr = {
@ -9,7 +18,7 @@
      mediaDir = "/drives/wd10/nixarr/media";
      stateDir = "/var/lib/nixarr/state";

-      vpn = {
+      vpn = lib.mkIf (hasSecret "us_chi_wg") {
        enable = true;
        wgConf = config.age.secrets.us_chi_wg.path;
      };
--- a/hosts/h001/mods/oauth2-proxy.nix
+++ b/hosts/h001/mods/oauth2-proxy.nix
@ -1,6 +1,7 @@
 {
  inputs,
  config,
+  lib,
  ...
 }:
 let
@ -10,11 +11,17 @@ let
    system = "x86_64-linux";
    config.allowUnfree = true;
  };
+  hasSecret =
+    secret:
+    let
+      secrets = config.age.secrets or { };
+    in
+    secrets ? ${secret} && secrets.${secret} != null;
 in
 {
  disabledModules = [ declaration ];
  imports = [ "${nixpkgs}/nixos/modules/${declaration}" ];
-  config = {
+  config = lib.mkIf (hasSecret "oauth2_proxy_key_file") {
    services.oauth2-proxy = {
      enable = true;
      httpAddress = "http://127.0.0.1:4180";
--- a/hosts/h001/mods/openwebui.nix
+++ b/hosts/h001/mods/openwebui.nix
@ -1,6 +1,7 @@
 {
  inputs,
  config,
+  lib,
  ...
 }:
 let
@ -10,12 +11,18 @@ let
    system = "x86_64-linux";
    config.allowUnfree = true;
  };
+  hasSecret =
+    secret:
+    let
+      secrets = config.age.secrets or { };
+    in
+    secrets ? ${secret} && secrets.${secret} != null;
 in
 {
  disabledModules = [ declaration ];
  imports = [ "${nixpkgs}/nixos/modules/${declaration}" ];
  options = { };
-  config = {
+  config = lib.mkIf (hasSecret "openwebui_env") {
    services.nginx.virtualHosts."chat.joshuabell.xyz" = {
      addSSL = true;
      sslCertificate = "/var/lib/acme/joshuabell.xyz/fullchain.pem";
--- a/hosts/h001/nginx.nix
+++ b/hosts/h001/nginx.nix
@ -1,5 +1,6 @@
 {
  config,
+  lib,
  ...
 }:
 let
@ -7,10 +8,16 @@ let
    proxyWebsockets = true;
    proxyPass = "http://localhost:7575";
  };
+  hasSecret =
+    secret:
+    let
+      secrets = config.age.secrets or { };
+    in
+    secrets ? ${secret} && secrets.${secret} != null;
 in
 {
  # TODO transfer these to o001 to use same certs?
-  security.acme = {
+  security.acme = lib.mkIf (hasSecret "linode_rw_domains") {
    acceptTerms = true;
    defaults.email = "admin@joshuabell.xyz";
    certs."joshuabell.xyz" = {
--- a/hosts/oracle/o001/containers/vaultwarden.nix
+++ b/hosts/oracle/o001/containers/vaultwarden.nix
@ -1,5 +1,6 @@
 {
  config,
+  lib,
  ...
 }:
 let
@ -9,6 +10,13 @@ let
  hostDataDir = "/var/lib/${name}";

  v_port = 8222;
+  
+  hasSecret =
+    secret:
+    let
+      secrets = config.age.secrets or { };
+    in
+    secrets ? ${secret} && secrets.${secret} != null;
 in
 {
  users = {
@ -26,7 +34,7 @@ in
    chmod -R 750 ${hostDataDir}
  '';

-  containers.${name} = {
+  containers.${name} = lib.mkIf (hasSecret "vaultwarden_env") {
    ephemeral = true;
    autoStart = true;
    privateNetwork = false;
@ -72,7 +80,7 @@ in
      };
  };

-  services.nginx.virtualHosts."vault.joshuabell.xyz" = {
+  services.nginx.virtualHosts."vault.joshuabell.xyz" = lib.mkIf (hasSecret "vaultwarden_env") {
    enableACME = true;
    forceSSL = true;
    locations = {