ops-jrz1/modules/matrix-secrets/default.nix

{ lib, config, ... }:

{
  options.matrix.secrets = lib.mkOption {
    type = lib.types.attrsOf (lib.types.submodule (
      { name, ... }:
        { options = {
            enable = lib.mkOption {
              type = lib.types.bool;
              default = true;
              description = "Enable this Matrix secret.";
            };
            key = lib.mkOption {
              type = lib.types.str;
              description = "Key inside secrets/secrets.yaml.";
            };
            path = lib.mkOption {
              type = lib.types.str;
              description = "Path where decrypted secret should be written.";
            };
            user = lib.mkOption {
              type = lib.types.str;
              default = name;
              description = "Owner user for the secret file.";
            };
            group = lib.mkOption {
              type = lib.types.str;
              default = name;
              description = "Owner group for the secret file.";
            };
            mode = lib.mkOption {
              type = lib.types.str;
              default = "0400";
              description = "File permission mode.";
            };
          };
        }
    ));
    default = {};
    description = "Declarative mapping of Matrix service secrets to sops entries.";
  };

  config = let
    secrets = config.matrix.secrets;
  in {
    assertions = [
      {
        assertion = lib.all (secret: lib.hasAttr "key" secret && lib.hasAttr "path" secret) (lib.attrValues secrets);
        message = "Each matrix secret must define both `key` and `path`.";
      }
    ];

    sops.secrets = lib.mapAttrs' (_: secret:
      lib.nameValuePair secret.key {
        inherit (secret) path;
        owner = secret.user;
        group = secret.group;
        mode = secret.mode;
      }
    ) secrets;
  };
}