diff options
| author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-01-29 15:14:46 +0100 |
|---|---|---|
| committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-01-29 16:08:05 +0100 |
| commit | 3d67297cd3dd8f8e24eb30927023f0d53d15f401 (patch) | |
| tree | f85e496fb5f6dea5beb94ade9b2e55a25ea26be2 | |
| parent | build(flake): Update to the latest `nixLib` version (diff) | |
| download | nixos-server-3d67297cd3dd8f8e24eb30927023f0d53d15f401.zip | |
feat(secrets.nix): Automatically generate the secrets list for each host
Diffstat (limited to '')
| -rw-r--r-- | secrets.nix | 77 |
1 files changed, 55 insertions, 22 deletions
diff --git a/secrets.nix b/secrets.nix index 819e9c3..d90b504 100644 --- a/secrets.nix +++ b/secrets.nix @@ -5,27 +5,60 @@ let server2HostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1TUFoCTplkqTVbXQ6qDCyeo2h8+C0vjrIlKu6vmq5f"; server3HostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP3s4FjGx7LEVf/GE3WeCl8TmCtPt8gW1J0mp0fUJBNm"; - server2 = [ - soispha - sils - server2HostKey - ]; + publicKeys = { + "server2" = [ + soispha + sils + server2HostKey + ]; - server3 = [ - soispha - sils - server3HostKey - ]; -in { - "./hosts/by-name/server2/secrets/backuppass.age".publicKeys = server2; - "./hosts/by-name/server2/secrets/backupssh.age".publicKeys = server2; - "./hosts/by-name/server2/secrets/etesync/secret_file.age".publicKeys = server2; + "server3" = [ + soispha + sils + server3HostKey + ]; + }; - "./hosts/by-name/server3/secrets/backuppass.age".publicKeys = server3; - "./hosts/by-name/server3/secrets/backupssh.age".publicKeys = server3; - "./hosts/by-name/server3/secrets/mastodon/mail.age".publicKeys = server3; - "./hosts/by-name/server3/secrets/matrix/passwd.age".publicKeys = server3; - "./hosts/by-name/server3/secrets/miniflux/secrets/admin.age".publicKeys = server3; - "./hosts/by-name/server3/secrets/peertube/general.age".publicKeys = server3; - "./hosts/by-name/server3/secrets/peertube/smtp.age".publicKeys = server3; -} + lock = builtins.fromJSON (builtins.readFile ./flake.lock); + nixLib = + import (builtins.fetchTree lock.nodes.library.locked).outPath {}; + inherit ((import (builtins.fetchTree lock.nodes.nixpkgs.locked).outPath {})) lib; + + secrets = let + base = nixLib.mkByName { + useShards = false; + fileName = "secrets"; + baseDirectory = ./hosts/by-name; + }; + secrets = builtins.mapAttrs (name: value: + nixLib.mkByName { + relativePaths = true; + useShards = false; + fileRegex = "^.*\.age$"; + baseDirectory = value; + }) + base; + allSecretPaths = builtins.mapAttrs (serverName: secrets: + lib.lists.flatten ( + lib.attrsets.mapAttrsToList + (service: fileNames: builtins.map (fileName: "./hosts/by-name/${serverName}/secrets/${service}/${fileName}") fileNames) + secrets + )) + secrets; + in + # We should be able to merge with the `//` operator here because all attribute paths + # must be unique (they were files previously) + builtins.foldl' (acc: elem: acc // elem) {} ( + builtins.attrValues (builtins.mapAttrs (serverName: secretPaths: + builtins.listToAttrs ( + builtins.map + (secretPath: { + name = secretPath; + value.publicKeys = publicKeys."${serverName}"; + }) + secretPaths + )) + allSecretPaths) + ); +in + secrets |