diff options
Diffstat (limited to '')
| -rw-r--r-- | secrets.nix | 86 |
1 files changed, 67 insertions, 19 deletions
diff --git a/secrets.nix b/secrets.nix index bd5630e..8d3ae92 100644 --- a/secrets.nix +++ b/secrets.nix @@ -2,24 +2,72 @@ let soispha = "age1mshh4ynzhhzhff25tqwkg4j054g3xwrfznh98ycchludj9wjj48qn2uffn"; sils = "age1vuhaey7kd9l76y6f9weeqmde3s4kjw38869ju6u3027yece2r3rqssjxst"; - server1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnqsfIZjelH7rcvFvnLR5zUZuC8thsBupBlvjcMRBUm"; + server2HostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1TUFoCTplkqTVbXQ6qDCyeo2h8+C0vjrIlKu6vmq5f"; + server3HostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP3s4FjGx7LEVf/GE3WeCl8TmCtPt8gW1J0mp0fUJBNm"; - allSecrets = [ - soispha - sils - server1 - ]; -in { - "./modules/by-name/et/etesync/secret_file.age".publicKeys = allSecrets; - "./modules/by-name/pe/peertube/secrets/general.age".publicKeys = allSecrets; - "./modules/by-name/pe/peertube/secrets/smtp.age".publicKeys = allSecrets; + # WARNING(@bpeetz): ONLY use this key on age files that are meant to be public! <2025-02-23> + testingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxdvBk/PC9fC7B5vqe9TvygZKY6LgDQ2mXRdVrthBM/"; - "./system/secrets/backup/backuppass.age".publicKeys = allSecrets; - "./system/secrets/backup/backupssh.age".publicKeys = allSecrets; - "./system/secrets/invidious/hmac.age".publicKeys = allSecrets; - "./system/secrets/mastodon/mail.age".publicKeys = allSecrets; - "./system/secrets/matrix-synapse/passwd.age".publicKeys = allSecrets; - "./system/secrets/miniflux/admin.age".publicKeys = allSecrets; - "./system/secrets/taskserver/ca.age".publicKeys = allSecrets; - "./system/secrets/taskserver/systemd_tmpfiles.age".publicKeys = allSecrets; -} + publicKeys = { + "server2" = [ + soispha + sils + server2HostKey + ]; + + "server3" = [ + soispha + sils + server3HostKey + ]; + }; + + lock = builtins.fromJSON (builtins.readFile ./flake.lock); + nixLib = + import (builtins.fetchTree lock.nodes.library.locked).outPath {}; + inherit ((import (builtins.fetchTree lock.nodes.nixpkgs.locked).outPath {})) lib; + + secrets = let + base = nixLib.mkByName { + useShards = false; + fileName = "secrets"; + baseDirectory = ./hosts/by-name; + }; + secrets = builtins.mapAttrs (name: value: + nixLib.mkByName { + relativePaths = true; + useShards = false; + fileRegex = "^.*\.age$"; + baseDirectory = value; + }) + base; + allSecretPaths = builtins.mapAttrs (serverName: secrets: + lib.lists.flatten ( + lib.attrsets.mapAttrsToList + (service: fileNames: builtins.map (fileName: "./hosts/by-name/${serverName}/secrets/${service}/${fileName}") fileNames) + secrets + )) + secrets; + in + # We should be able to merge with the `//` operator here because all attribute paths + # must be unique (they were files previously) + builtins.foldl' (acc: elem: acc // elem) {} ( + builtins.attrValues (builtins.mapAttrs (serverName: secretPaths: + builtins.listToAttrs ( + builtins.map + (secretPath: { + name = secretPath; + value.publicKeys = publicKeys."${serverName}"; + }) + secretPaths + )) + allSecretPaths) + ); +in + secrets + // { + "./tests/by-name/em/email-dns/secrets/dkim/alice.com/private.age".publicKeys = [soispha sils testingKey]; + "./tests/by-name/em/email-dns/secrets/dkim/bob.com/private.age".publicKeys = [soispha sils testingKey]; + "./tests/by-name/em/email-dns/secrets/dkim/mail1.server.com/private.age".publicKeys = [soispha sils testingKey]; + "./tests/by-name/em/email-dns/secrets/dkim/mail2.server.com/private.age".publicKeys = [soispha sils testingKey]; + } |