Use conditional identityFile in SSH host configs

2026-01-06 16:11:04 -06:00 · 2026-01-06 16:11:04 -06:00 · b8ae608af5
commit b8ae608af5
parent aef5e24b12
3 changed files with 62 additions and 67 deletions
--- a/flakes/secrets-bao/flake.nix
+++ b/flakes/secrets-bao/flake.nix
@ -27,6 +27,35 @@
            ) secrets);
          in
          builtins.foldl' (acc: v: acc // v) { } fragments;
+
+        applyHmChanges = secrets:
+          let
+            substitute = secretPath: value:
+              if builtins.isAttrs value then
+                builtins.mapAttrs (_: v: substitute secretPath v) value
+              else if builtins.isList value then
+                map (v: substitute secretPath v) value
+              else if builtins.isString value then
+                builtins.replaceStrings [ "$SECRET_PATH" ] [ secretPath ] value
+              else
+                value;
+
+            fragments = builtins.attrValues (builtins.mapAttrs (
+              name: s:
+              let
+                secretPath = s.path or ("/run/secrets/" + name);
+              in
+              substitute secretPath (s.hmChanges or { })
+            ) secrets);
+
+            merged = builtins.foldl' (acc: v: acc // v) { } fragments;
+          in
+          if merged == { } then
+            { }
+          else
+            {
+              home-manager.sharedModules = [ (_: merged) ];
+            };
      };

      nixosModules = {