configuration.nix

@@ -2,8 +2,7 @@
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
     ./modules/disk-config.nix
-    ./modules/agenix.nix
+    ./modules/custom
-    ./modules/custom.nix
     ./modules/uptimed.nix
   ];
 
@@ -55,12 +54,6 @@
         PasswordAuthentication = false;
         KbdInteractiveAuthentication = false;
       };
-      extraConfig = ''
-        HostCertificate ${
-          builtins.toFile "host_ed25519-cert.pub" config.custom.ssh.hostCert
-        }
-        HostKey ${config.age.secrets.host_ed25519.path}
-      '';
     };
 
     xserver = {
@@ -92,12 +85,6 @@
         };
       };
 
-      extraConfig = ''
-        CertificateFile ${
-          builtins.toFile "user_ed25519-cert.pub" config.custom.ssh.userCert
-        }
-        IdentityFile ${config.age.secrets.user_ed25519.path}
-      '';
     };
 
     neovim = {
@@ -186,4 +173,6 @@
 
   hardware.cpu.intel.updateMicrocode =
     lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  age.identityPaths = [ "/root/age_ed25519" ];
 }

modules/agenix.nix

@@ -1,10 +0,0 @@
-{ config, ... }: {
-  age = {
-    identityPaths = [ "/root/age_ed25519" ];
-
-    secrets = {
-      "host_ed25519".file = config.custom.ssh.hostKey;
-      "user_ed25519".file = config.custom.ssh.userKey;
-    };
-  };
-}

modules/custom.nix

@@ -1,88 +0,0 @@
-{ pkgs, lib, config, ... }: {
-  options = {
-    custom = {
-      dataDisk.enable = lib.mkOption {
-        default = false;
-        type = lib.types.bool;
-        description = ''
-          Whether to automatically mount /dev/sda1 on /mnt/data
-        '';
-      };
-
-      ssh = {
-        hostCert = lib.mkOption {
-          type = lib.types.str;
-          description = ''
-            SSH host certificate
-          '';
-        };
-
-        userCert = lib.mkOption {
-          type = lib.types.str;
-          description = ''
-            SSH user certificate
-          '';
-        };
-
-        hostKey = lib.mkOption {
-          default = ../secrets/${config.networking.hostName}_host_ed25519.age;
-          type = lib.types.path;
-          description = ''
-            SSH host key
-          '';
-        };
-
-        userKey = lib.mkOption {
-          default = ../secrets/${config.networking.hostName}_user_ed25519.age;
-          type = lib.types.path;
-          description = ''
-            SSH user key
-          '';
-        };
-      };
-
-      terraformDatabase.enable = lib.mkOption {
-        default = false;
-        type = lib.types.bool;
-        description = ''
-          Whether to start a postgreSQL database for Terraform states
-        '';
-      };
-    };
-  };
-
-  config = {
-    fileSystems."/mnt/data" =
-      lib.mkIf config.custom.dataDisk.enable { device = "/dev/sda1"; };
-
-    services.postgresql = lib.mkIf config.custom.terraformDatabase.enable {
-      enable = true;
-      ensureDatabases = [ "terraformstates" ];
-      package = pkgs.postgresql_15;
-      enableTCPIP = true;
-      dataDir =
-        "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
-      # TODO: for now trust, replace this with client certificate later
-      authentication = ''
-        hostssl terraformstates terraform all trust
-      '';
-      settings = {
-        ssl = true;
-        ssl_cert_file = builtins.toFile "postgresql_server.crt"
-          (builtins.readFile ../postgresql_server.crt);
-        ssl_key_file = config.age.secrets."postgresql_server.key".path;
-      };
-      ensureUsers = [{
-        name = "terraform";
-        ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; };
-      }];
-    };
-
-    age.secrets."postgresql_server.key" = {
-      file = ../secrets/postgresql_server.key.age;
-      mode = "400";
-      owner = builtins.toString config.ids.uids.postgres;
-      group = builtins.toString config.ids.gids.postgres;
-    };
-  };
-}

modules/custom/data-disk.nix

@@ -0,0 +1,19 @@
+{ lib, config, ... }:
+let cfg = config.custom.dataDisk;
+in {
+  options = {
+    custom = {
+      dataDisk.enable = lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = ''
+          Whether to automatically mount /dev/sda1 on /mnt/data
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    fileSystems."/mnt/data" = { device = "/dev/sda1"; };
+  };
+}

modules/custom/default.nix

@@ -0,0 +1,3 @@
+{
+  imports = [ ./terraform-database.nix ./data-disk.nix ./ssh-certificates.nix ];
+}

modules/custom/ssh-certificates.nix

@@ -0,0 +1,65 @@
+{ lib, config, ... }:
+let
+  cfg = config.custom.ssh;
+  hostCert = builtins.toFile "host_ed25519-cert.pub" cfg.hostCert;
+  userCert = builtins.toFile "user_ed25519-cert.pub" cfg.userCert;
+in {
+  options = {
+    custom = {
+      ssh = {
+        hostCert = lib.mkOption {
+          type = lib.types.str;
+          description = ''
+            SSH host certificate
+          '';
+        };
+
+        userCert = lib.mkOption {
+          type = lib.types.str;
+          description = ''
+            SSH user certificate
+          '';
+        };
+
+        hostKey = lib.mkOption {
+          default =
+            ../../secrets/${config.networking.hostName}_host_ed25519.age;
+          type = lib.types.path;
+          description = ''
+            SSH host key
+          '';
+        };
+
+        userKey = lib.mkOption {
+          default =
+            ../../secrets/${config.networking.hostName}_user_ed25519.age;
+          type = lib.types.path;
+          description = ''
+            SSH user key
+          '';
+        };
+      };
+    };
+  };
+
+  config = {
+    services.openssh = {
+      extraConfig = ''
+        HostCertificate ${hostCert}
+        HostKey ${config.age.secrets.host_ed25519.path}
+      '';
+    };
+
+    programs.ssh = {
+      extraConfig = ''
+        CertificateFile ${userCert}
+        IdentityFile ${config.age.secrets.user_ed25519.path}
+      '';
+    };
+
+    age.secrets = {
+      "host_ed25519".file = cfg.hostKey;
+      "user_ed25519".file = cfg.userKey;
+    };
+  };
+}

modules/custom/terraform-database.nix

@@ -0,0 +1,49 @@
+{ pkgs, lib, config, ... }:
+let cfg = config.custom.terraformDatabase;
+in {
+  options = {
+    custom = {
+      terraformDatabase.enable = lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = ''
+          Whether to start a postgreSQL database for Terraform states
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "terraformstates" ];
+      package = pkgs.postgresql_15;
+      enableTCPIP = true;
+      dataDir = lib.mkIf config.custom.dataDisk.enable
+        "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
+      # dataDir =
+      #   "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
+      # TODO: for now trust, replace this with client certificate later
+      authentication = ''
+        hostssl terraformstates terraform all trust
+      '';
+      settings = {
+        ssl = true;
+        ssl_cert_file = builtins.toFile "postgresql_server.crt"
+          (builtins.readFile ../../postgresql_server.crt);
+        ssl_key_file = config.age.secrets."postgresql_server.key".path;
+      };
+      ensureUsers = [{
+        name = "terraform";
+        ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; };
+      }];
+    };
+
+    age.secrets."postgresql_server.key" = {
+      file = ../../secrets/postgresql_server.key.age;
+      mode = "400";
+      owner = builtins.toString config.ids.uids.postgres;
+      group = builtins.toString config.ids.gids.postgres;
+    };
+  };
+}