1 files changed, 42 insertions, 8 deletions

diff --git a/modules/nixos/traits/secrets.nix b/modules/nixos/traits/secrets.nix
index 6624ef8..d7f4e60 100644
--- a/modules/nixos/traits/secrets.nix
+++ b/modules/nixos/traits/secrets.nix
@@ -2,6 +2,7 @@
   config,
   lib,
   inputs,
+  secretsDir,
   ...
 }:
 let
@@ -10,17 +11,50 @@ in
 {
   options.traits.secrets = {
     enable = lib.mkEnableOption "secrets management";
-  };
-
-  imports = [ inputs.agenix.nixosModules.default ];
 
-  config = lib.mkIf cfg.enable {
-    _module.args = {
-      secretsDir = inputs.self + "/secrets/${config.networking.hostName}";
+    rootUser = lib.mkEnableOption "manage secrets for root user" // {
+      default = true;
     };
 
-    age = {
-      identityPaths = [ "/etc/age/key" ];
+    hostUser = lib.mkEnableOption "manager secrets for host user (see `profiles.server.hostUser`)" // {
+      default = config.profiles.server.hostUser;
+      defaultText = "config.profiles.server.hostUser";
     };
   };
+
+  imports = [ inputs.agenix.nixosModules.default ];
+
+  config = lib.mkIf cfg.enable (
+    lib.mkMerge [
+      {
+        _module.args = {
+          secretsDir = inputs.self + "/secrets/${config.networking.hostName}";
+        };
+
+        age = {
+          identityPaths = [ "/etc/age/key" ];
+        };
+      }
+
+      (lib.mkIf cfg.rootUser {
+        age.secrets = {
+          rootPassword.file = secretsDir + "/rootPassword.age";
+        };
+
+        users.users.root = {
+          hashedPasswordFile = config.age.secrets.rootPassword.path;
+        };
+      })
+
+      (lib.mkIf (config.profiles.server.enable && cfg.hostUser) {
+        age.secrets = {
+          userPassword.file = secretsDir + "/userPassword.age";
+        };
+
+        users.users.${config.networking.hostName} = {
+          hashedPasswordFile = config.age.secrets.userPassword.path;
+        };
+      })
+    ]
+  );
 }