diff options
Diffstat (limited to '')
| -rw-r--r-- | secrets.nix | 85 |
1 files changed, 63 insertions, 22 deletions
diff --git a/secrets.nix b/secrets.nix index 10608f4..8d3ae92 100644 --- a/secrets.nix +++ b/secrets.nix @@ -5,28 +5,69 @@ let server2HostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1TUFoCTplkqTVbXQ6qDCyeo2h8+C0vjrIlKu6vmq5f"; server3HostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP3s4FjGx7LEVf/GE3WeCl8TmCtPt8gW1J0mp0fUJBNm"; - server2 = [ - soispha - sils - server2HostKey - ]; + # WARNING(@bpeetz): ONLY use this key on age files that are meant to be public! <2025-02-23> + testingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxdvBk/PC9fC7B5vqe9TvygZKY6LgDQ2mXRdVrthBM/"; - server3 = [ - soispha - sils - server3HostKey - ]; -in { - "./modules/by-name/ma/matrix/passwd.age".publicKeys = server3; + publicKeys = { + "server2" = [ + soispha + sils + server2HostKey + ]; - "./hosts/by-name/server2/secrets/backuppass.age".publicKeys = server2; - "./hosts/by-name/server2/secrets/backupssh.age".publicKeys = server2; - "./hosts/by-name/server2/secrets/etesync/secret_file.age".publicKeys = server2; + "server3" = [ + soispha + sils + server3HostKey + ]; + }; - "./hosts/by-name/server3/secrets/backuppass.age".publicKeys = server3; - "./hosts/by-name/server3/secrets/backupssh.age".publicKeys = server3; - "./hosts/by-name/server3/secrets/mastodon/mail.age".publicKeys = server3; - "./hosts/by-name/server3/secrets/miniflux/secrets/admin.age".publicKeys = server3; - "./hosts/by-name/server3/secrets/peertube/general.age".publicKeys = server3; - "./hosts/by-name/server3/secrets/peertube/smtp.age".publicKeys = server3; -} + lock = builtins.fromJSON (builtins.readFile ./flake.lock); + nixLib = + import (builtins.fetchTree lock.nodes.library.locked).outPath {}; + inherit ((import (builtins.fetchTree lock.nodes.nixpkgs.locked).outPath {})) lib; + + secrets = let + base = nixLib.mkByName { + useShards = false; + fileName = "secrets"; + baseDirectory = ./hosts/by-name; + }; + secrets = builtins.mapAttrs (name: value: + nixLib.mkByName { + relativePaths = true; + useShards = false; + fileRegex = "^.*\.age$"; + baseDirectory = value; + }) + base; + allSecretPaths = builtins.mapAttrs (serverName: secrets: + lib.lists.flatten ( + lib.attrsets.mapAttrsToList + (service: fileNames: builtins.map (fileName: "./hosts/by-name/${serverName}/secrets/${service}/${fileName}") fileNames) + secrets + )) + secrets; + in + # We should be able to merge with the `//` operator here because all attribute paths + # must be unique (they were files previously) + builtins.foldl' (acc: elem: acc // elem) {} ( + builtins.attrValues (builtins.mapAttrs (serverName: secretPaths: + builtins.listToAttrs ( + builtins.map + (secretPath: { + name = secretPath; + value.publicKeys = publicKeys."${serverName}"; + }) + secretPaths + )) + allSecretPaths) + ); +in + secrets + // { + "./tests/by-name/em/email-dns/secrets/dkim/alice.com/private.age".publicKeys = [soispha sils testingKey]; + "./tests/by-name/em/email-dns/secrets/dkim/bob.com/private.age".publicKeys = [soispha sils testingKey]; + "./tests/by-name/em/email-dns/secrets/dkim/mail1.server.com/private.age".publicKeys = [soispha sils testingKey]; + "./tests/by-name/em/email-dns/secrets/dkim/mail2.server.com/private.age".publicKeys = [soispha sils testingKey]; + } |