6 files changed, 31 insertions, 27 deletions

diff --git a/modules/nixos/traits/acme.nix b/modules/nixos/traits/acme.nix
index a377b25..0d42f6a 100644
--- a/modules/nixos/traits/acme.nix
+++ b/modules/nixos/traits/acme.nix
@@ -10,7 +10,7 @@ in {
     enable = lib.mkEnableOption "ACME support";
 
     manageSecrets =
-      lib.mkEnableOption "automatic management of secrets"
+      lib.mkEnableOption "automatic secrets management"
       // {
         default = config.traits.secrets.enable;
       };
diff --git a/modules/nixos/traits/cloudflared.nix b/modules/nixos/traits/cloudflared.nix
index 9905d33..5bff263 100644
--- a/modules/nixos/traits/cloudflared.nix
+++ b/modules/nixos/traits/cloudflared.nix
@@ -10,7 +10,7 @@ in {
   options.traits.cloudflared = {
     enable = lib.mkEnableOption "cloudflared";
     manageSecrets =
-      lib.mkEnableOption "automatically managed secrets"
+      lib.mkEnableOption "automatic secrets management"
       // {
         default = config.traits.secrets.enable;
       };
diff --git a/modules/nixos/traits/hercules.nix b/modules/nixos/traits/hercules.nix
index fc3dbd0..14e8c12 100644
--- a/modules/nixos/traits/hercules.nix
+++ b/modules/nixos/traits/hercules.nix
@@ -9,39 +9,43 @@
 in {
   options.traits.hercules-ci = {
     enable = lib.mkEnableOption "hercules-ci";
-    manageSecrets = lib.mkEnableOption "automatic secrets management";
+    manageSecrets =
+      lib.mkEnableOption "automatic secrets management"
+      // {
+        default = config.traits.secrets.enable;
+      };
   };
 
   config = lib.mkIf cfg.enable (
     lib.mkMerge [
       {
-        services = {
-          hercules-ci-agent = {
-            enable = true;
-            package = unstable.hercules-ci-agent;
-            settings = {
-              binaryCachesPath = config.age.secrets.binaryCache.path;
-              clusterJoinTokenPath = config.age.secrets.clusterToken.path;
-              secretsJsonPath = config.age.secrets.secretsJson.path;
-            };
-          };
+        services.hercules-ci-agent = {
+          enable = true;
+          package = unstable.hercules-ci-agent;
         };
       }
 
       (let
-        hercArgs = {
-          mode = "400";
-          owner = "hercules-ci-agent";
-          group = "hercules-ci-agent";
-        };
-
-        mkSecrets = lib.mapAttrs (_: file: lib.recursiveUpdate hercArgs {inherit file;});
+        secretNames = [
+          "binaryCaches"
+          "clusterJoinToken"
+          "secretsJson"
+        ];
       in
         lib.mkIf cfg.manageSecrets {
-          age.secrets = mkSecrets {
-            binaryCache = secretsDir + "/binaryCache.age";
-            clusterToken = secretsDir + "/clusterToken.age";
-            secretsJson = secretsDir + "/secretsJson.age";
+          age.secrets = lib.genAttrs secretNames (
+            file: {
+              file = "${secretsDir}/${file}.age";
+              mode = "400";
+              owner = "hercules-ci-agent";
+              group = "hercules-ci-agent";
+            }
+          );
+
+          services.hercules-ci-agent = {
+            settings = lib.mapAttrs' (name: lib.nameValuePair (name + "Path")) (
+              lib.genAttrs secretNames (name: config.age.secrets.${name}.path)
+            );
           };
         })
     ]
diff --git a/modules/nixos/traits/tailscale.nix b/modules/nixos/traits/tailscale.nix
index 93616b5..b432ced 100644
--- a/modules/nixos/traits/tailscale.nix
+++ b/modules/nixos/traits/tailscale.nix
@@ -10,7 +10,7 @@ in {
     enable = lib.mkEnableOption "Tailscale";
     ssh.enable = lib.mkEnableOption "Tailscale SSH";
     manageSecrets =
-      lib.mkEnableOption "the use of agenix for auth"
+      lib.mkEnableOption "automatic secrets management"
       // {
         default = config.traits.secrets.enable && cfg.ssh.enable;
       };
diff --git a/modules/nixos/traits/user-setup.nix b/modules/nixos/traits/user-setup.nix
index a8a4cd6..1d02134 100644
--- a/modules/nixos/traits/user-setup.nix
+++ b/modules/nixos/traits/user-setup.nix
@@ -10,7 +10,7 @@ in {
   options.traits.user-setup = {
     enable = lib.mkEnableOption "basic immutable user & root configurations";
     manageSecrets =
-      lib.mkEnableOption "automatic management of secrets"
+      lib.mkEnableOption "automatic secrets management"
       // {
         default = config.traits.secrets.enable;
       };
diff --git a/modules/nixos/traits/users.nix b/modules/nixos/traits/users.nix
index 3302366..3d50ce7 100644
--- a/modules/nixos/traits/users.nix
+++ b/modules/nixos/traits/users.nix
@@ -16,7 +16,7 @@ in {
     hostUser = {
       enable = lib.mkEnableOption "${hostName} user configuration";
       manageSecrets =
-        lib.mkEnableOption "automatically manage secrets"
+        lib.mkEnableOption "automatic secrets management"
         // {
           default = config.traits.secrets.enable;
         };