From 26bca68e24addca88364d6760450305e5f20441d Mon Sep 17 00:00:00 2001
From: Chris Toph <toph@ryot.foo>
Date: Wed, 28 May 2025 22:53:38 -0400
Subject: [PATCH] Fix SSH user reference in secretsSpec and enhance private key
 handling

---
 home/global/core/ssh.nix       |  2 +-
 modules/global/secret-spec.nix | 42 +++++++++++++++-------------------
 2 files changed, 19 insertions(+), 25 deletions(-)

diff --git a/home/global/core/ssh.nix b/home/global/core/ssh.nix
index 1f943eb..0512b38 100644
--- a/home/global/core/ssh.nix
+++ b/home/global/core/ssh.nix
@@ -8,7 +8,7 @@
 }:
 let
   ## Get the current user's SSH config ##
-  userSsh = secretsSpec.users.${hostSpec.user}.ssh;
+  userSsh = secretsSpec.users.${hostSpec.username}.ssh;
 
   ## Generate local key paths for the config ##
   sshKeysMap = lib.mapAttrs (name: _: "${hostSpec.home}/.ssh/${name}") userSsh.privateKeys;
diff --git a/modules/global/secret-spec.nix b/modules/global/secret-spec.nix
index d2a6445..26a41a1 100644
--- a/modules/global/secret-spec.nix
+++ b/modules/global/secret-spec.nix
@@ -70,7 +70,15 @@ in
                   privateKeys = lib.mkOption {
                     type = lib.types.attrsOf lib.types.path;
                     description = "SSH private key file paths keyed by name";
-                    readOnly = true;
+                    default = { };
+                    apply =
+                      _:
+                      let
+                        userName = config.hostSpec.username;
+                        userConfig = config.secretsSpec.users.${userName} or { };
+                        privateKeyContents = userConfig.ssh.privateKeyContents or { };
+                      in
+                      lib.mapAttrs (name: content: mkSshKeyFile "${userName}-${name}" content) privateKeyContents;
                   };
                   config = lib.mkOption {
                     type = lib.types.path;
@@ -104,7 +112,15 @@ in
                   privateKey = lib.mkOption {
                     type = lib.types.path;
                     description = "GPG private key file path";
-                    readOnly = true;
+                    default = null;
+                    apply =
+                      _:
+                      let
+                        userName = config.hostSpec.username;
+                        userConfig = config.secretsSpec.users.${userName} or { };
+                        privateKeyContent = userConfig.gpg.privateKeyContents or "";
+                      in
+                      if privateKeyContent != "" then mkGpgKeyFile userName privateKeyContent else null;
                   };
                   trust = lib.mkOption {
                     type = lib.types.str;
@@ -247,26 +263,4 @@ in
       default = { };
     };
   };
-
-  config.secretsSpec.users = lib.mapAttrs (
-    userName: userConfig:
-    userConfig
-    // {
-      ## Auto-generate SSH private key files ##
-      ssh = userConfig.ssh // {
-        privateKeys = lib.mapAttrs (
-          name: content: mkSshKeyFile "${userName}-${name}" content
-        ) userConfig.ssh.privateKeyContents;
-      };
-
-      ## Auto-generate GPG private key file ##
-      gpg = userConfig.gpg // {
-        privateKey =
-          if userConfig.gpg.privateKeyContents != "" then
-            mkGpgKeyFile "${userName}-gpg" userConfig.gpg.privateKeyContents
-          else
-            null;
-      };
-    }
-  ) config.secretsSpec.users;
 }