encrypt secret.nix with git-crypt

.gitattributes

@@ -1 +1,2 @@
 * text=auto eol=lf
+secret.nix filter=git-crypt diff=git-crypt

modules/secrets.nix

@@ -2,17 +2,22 @@
 with lib;
 with types;
 let
+  secret = description:
+    mkOption {
+      inherit description;
+      type = nullOr str;
+    };
   mkCredOption = service: extra:
   mkOption {
     description = "Credentials for ${service}";
     type = nullOr (submodule {
       options = {
         user = mkOption {
-          type = string;
+          type = str;
           description = "Username for ${service}";
         };
         password = mkOption {
-          type = string;
+          type = str;
           description = "Password for ${service}";
         };
       } // extra;
@@ -21,17 +26,20 @@ let
 in rec {
   options.secrets = {
     wireguard = mkOption {
-      type = attrs;
       description = "Wireguard conf";
+      type = attrs;
     };
     windows-samba = mkCredOption "samba on windows" { };
     linux-samba = mkCredOption "samba on linux" { };
     spotify = mkCredOption "Spotify" { };
   };
   config = let
+    unlocked = import (pkgs.runCommand "check-secret" { }
+      "set +e; grep -qI . ${../secret.nix}; echo $? > $out") == 0;
     secretnix = import ../secret.nix;
-    secrets = if isNull secretnix then
+    secrets = if !unlocked || isNull secretnix then
-      mapAttrs (n: v: null) options.secrets
+      builtins.trace "secret.nix locked, building without any secrets"
+      (mapAttrs (n: v: null) options.secrets)
     else
       secretnix;
   in { inherit secrets; };