7 files changed, 125 insertions, 83 deletions

diff --git a/home-manager/config/nheko/default.nix b/home-manager/config/nheko/default.nix
index 7e39352b..fd147c0b 100644
--- a/home-manager/config/nheko/default.nix
+++ b/home-manager/config/nheko/default.nix
@@ -1,10 +1,13 @@
 {
   config,
-  osConfig,
+  nixosConfig,
+  lib,
   ...
 }: {
-  xdg.configFile."nheko/nheko.conf".source = config.lib.file.mkOutOfStoreSymlink osConfig.age.secrets.nheko.path;
-  programs.nheko = {
-    enable = true;
+  config = lib.mkIf nixosConfig.soispha.secrets.enable {
+    xdg.configFile."nheko/nheko.conf".source = config.lib.file.mkOutOfStoreSymlink nixosConfig.age.secrets.nheko.path;
+    programs.nheko = {
+      enable = true;
+    };
   };
 }
diff --git a/home-manager/impermanence/default.nix b/home-manager/impermanence/default.nix
index 59cea605..90b2152b 100644
--- a/home-manager/impermanence/default.nix
+++ b/home-manager/impermanence/default.nix
@@ -1,24 +1,30 @@
-{...}: {
-  home.persistence."/srv/home/soispha" = {
-    allowOther = true;
-    directories = [
-      ".local/share"
+{
+  lib,
+  nixosConfig,
+  ...
+}: {
+  config = lib.mkIf nixosConfig.soispha.impermanence.enable {
+    home.persistence."/srv/home/soispha" = {
+      allowOther = true;
+      directories = [
+        ".local/share"
 
-      ".local/state/nvim"
-      ".local/state/wireplumber"
+        ".local/state/nvim"
+        ".local/state/wireplumber"
 
-      ".config/Signal"
-      ".config/Element"
+        ".config/Signal"
+        ".config/Element"
 
-      ".cache"
-      ".mozilla"
+        ".cache"
+        ".mozilla"
 
-      "media"
-      "repos"
-      "school"
-    ];
-    files = [
-      ".local/state/lesshst"
-    ];
+        "media"
+        "repos"
+        "school"
+      ];
+      files = [
+        ".local/state/lesshst"
+      ];
+    };
   };
 }
diff --git a/hosts/isimud/default.nix b/hosts/isimud/default.nix
index ec4e623c..8b772fef 100644
--- a/hosts/isimud/default.nix
+++ b/hosts/isimud/default.nix
@@ -6,6 +6,8 @@
   ];
 
   soispha = {
+    secrets.enable = false;
+    impermanence.enable = false;
     locale = {
       enable = true;
       keyMap = "dvorak";
diff --git a/secrets/default.nix b/secrets/default.nix
index 1807fb8d..d1fc1714 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -1,25 +1,31 @@
-{config, ...}: let
+{
+  config,
+  lib,
+  ...
+}: let
   name = config.networking.hostName;
 in {
-  age = {
-    secrets = {
-      nheko = {
-        file = ./nheko/conf. + name;
-        mode = "700";
-        owner = "soispha";
-        group = "users";
-      };
-      serverphoneCa = {
-        file = ./serverphone/ca.key;
-        mode = "700";
-        owner = "serverphone";
-        group = "serverphone";
-      };
-      serverphoneServer = {
-        file = ./serverphone/server.key;
-        mode = "700";
-        owner = "serverphone";
-        group = "serverphone";
+  config = lib.mkIf config.soispha.secrets.enable {
+    age = {
+      secrets = {
+        nheko = {
+          file = ./nheko/conf. + name;
+          mode = "700";
+          owner = "soispha";
+          group = "users";
+        };
+        serverphoneCa = {
+          file = ./serverphone/ca.key;
+          mode = "700";
+          owner = "serverphone";
+          group = "serverphone";
+        };
+        serverphoneServer = {
+          file = ./serverphone/server.key;
+          mode = "700";
+          owner = "serverphone";
+          group = "serverphone";
+        };
       };
     };
   };
diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix
index 8e6d81fb..adbdfce2 100644
--- a/system/impermanence/default.nix
+++ b/system/impermanence/default.nix
@@ -1,4 +1,9 @@
-{config, ...}: let
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.soispha.impermanence;
   networkmanager =
     if config.networking.networkmanager.enable
     then [
@@ -23,16 +28,25 @@
     ++ networkmanager
     ++ secureboot;
 in {
-  # needed for the hm impermanence config
-  programs.fuse.userAllowOther = true;
+  options.soispha.impermanence = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = lib.mdDoc "Disk setup with disko";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    # needed for the hm impermanence config
+    programs.fuse.userAllowOther = true;
 
-  environment.persistence = {
-    "/srv" = {
-      hideMounts = true;
-      inherit directories;
-      files = [
-        "/etc/machine-id"
-      ];
+    environment.persistence = {
+      "/srv" = {
+        hideMounts = true;
+        inherit directories;
+        files = [
+          "/etc/machine-id"
+        ];
+      };
     };
   };
 }
diff --git a/system/options/default.nix b/system/options/default.nix
index 13861199..72ebc4fb 100644
--- a/system/options/default.nix
+++ b/system/options/default.nix
@@ -14,5 +14,13 @@ in {
         description = lib.mdDoc "Which backlight to query for the screen brightness";
       };
     };
+    secrets = {
+      #enable = lib.mkEnableOption "Secrets through agenix";
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = lib.mdDoc "Enable secrets through agenix";
+      };
+    };
   };
 }
diff --git a/system/services/serverphone/default.nix b/system/services/serverphone/default.nix
index d07d3809..1684f92d 100644
--- a/system/services/serverphone/default.nix
+++ b/system/services/serverphone/default.nix
@@ -2,41 +2,44 @@
   config,
   serverphone,
   system,
+  lib,
   ...
 }: {
-  services.serverphone = {
-    package = "${serverphone.packages.${system}.default}";
-    enable = true;
-    domain = "localhost";
-    configureDoas = true;
-    acceptedSshKeys = [
-      "AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME"
-    ];
-    authorized = {
-      acceptedGpgKeys = [
-        {
-          source = ./keys/soispha_at_vhack.eu;
-          trust = "ultimate";
-        }
+  config = lib.mkIf config.soispha.secrets.enable {
+    services.serverphone = {
+      package = "${serverphone.packages.${system}.default}";
+      enable = true;
+      domain = "localhost";
+      configureDoas = true;
+      acceptedSshKeys = [
+        "AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME"
       ];
+      authorized = {
+        acceptedGpgKeys = [
+          {
+            source = ./keys/soispha_at_vhack.eu;
+            trust = "ultimate";
+          }
+        ];
+      };
+      caCertificate = "${./certificates/ca.crt}";
+      certificate = "${./certificates/server.crt}";
+      privateKey = config.age.secrets.serverphoneServer.path;
+      certificateRequest = {
+        acceptedUsers = [
+          "soispha $argon2id$v=19$m=19456,t=2,p=1$EvhPENIBqL5b1RO5waNMWA$pJ8vDrCNJKDlqwB5bVDLjHVPEXm9McQhtt9OXSD8Zkc"
+        ];
+        caPrivateKey = config.age.secrets.serverphoneCa.path;
+      };
     };
-    caCertificate = "${./certificates/ca.crt}";
-    certificate = "${./certificates/server.crt}";
-    privateKey = config.age.secrets.serverphoneServer.path;
-    certificateRequest = {
-      acceptedUsers = [
-        "soispha $argon2id$v=19$m=19456,t=2,p=1$EvhPENIBqL5b1RO5waNMWA$pJ8vDrCNJKDlqwB5bVDLjHVPEXm9McQhtt9OXSD8Zkc"
-      ];
-      caPrivateKey = config.age.secrets.serverphoneCa.path;
-    };
-  };
 
-  users.users.serverphone = {
-    group = "serverphone";
-    isSystemUser = true;
-    home = "/run/serverphone";
-  };
-  users.groups.serverphone = {
-    members = ["serverphone"];
+    users.users.serverphone = {
+      group = "serverphone";
+      isSystemUser = true;
+      home = "/run/serverphone";
+    };
+    users.groups.serverphone = {
+      members = ["serverphone"];
+    };
   };
 }