From 3d67297cd3dd8f8e24eb30927023f0d53d15f401 Mon Sep 17 00:00:00 2001
From: Benedikt Peetz <benedikt.peetz@b-peetz.de>
Date: Wed, 29 Jan 2025 15:14:46 +0100
Subject: feat(secrets.nix): Automatically generate the secrets list for each
 host

---
 secrets.nix | 77 +++++++++++++++++++++++++++++++++++++++++++------------------
 1 file changed, 55 insertions(+), 22 deletions(-)

(limited to 'secrets.nix')

diff --git a/secrets.nix b/secrets.nix
index 819e9c3..d90b504 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -5,27 +5,60 @@ let
   server2HostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1TUFoCTplkqTVbXQ6qDCyeo2h8+C0vjrIlKu6vmq5f";
   server3HostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP3s4FjGx7LEVf/GE3WeCl8TmCtPt8gW1J0mp0fUJBNm";
 
-  server2 = [
-    soispha
-    sils
-    server2HostKey
-  ];
+  publicKeys = {
+    "server2" = [
+      soispha
+      sils
+      server2HostKey
+    ];
 
-  server3 = [
-    soispha
-    sils
-    server3HostKey
-  ];
-in {
-  "./hosts/by-name/server2/secrets/backuppass.age".publicKeys = server2;
-  "./hosts/by-name/server2/secrets/backupssh.age".publicKeys = server2;
-  "./hosts/by-name/server2/secrets/etesync/secret_file.age".publicKeys = server2;
+    "server3" = [
+      soispha
+      sils
+      server3HostKey
+    ];
+  };
 
-  "./hosts/by-name/server3/secrets/backuppass.age".publicKeys = server3;
-  "./hosts/by-name/server3/secrets/backupssh.age".publicKeys = server3;
-  "./hosts/by-name/server3/secrets/mastodon/mail.age".publicKeys = server3;
-  "./hosts/by-name/server3/secrets/matrix/passwd.age".publicKeys = server3;
-  "./hosts/by-name/server3/secrets/miniflux/secrets/admin.age".publicKeys = server3;
-  "./hosts/by-name/server3/secrets/peertube/general.age".publicKeys = server3;
-  "./hosts/by-name/server3/secrets/peertube/smtp.age".publicKeys = server3;
-}
+  lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+  nixLib =
+    import (builtins.fetchTree lock.nodes.library.locked).outPath {};
+  inherit ((import (builtins.fetchTree lock.nodes.nixpkgs.locked).outPath {})) lib;
+
+  secrets = let
+    base = nixLib.mkByName {
+      useShards = false;
+      fileName = "secrets";
+      baseDirectory = ./hosts/by-name;
+    };
+    secrets = builtins.mapAttrs (name: value:
+      nixLib.mkByName {
+        relativePaths = true;
+        useShards = false;
+        fileRegex = "^.*\.age$";
+        baseDirectory = value;
+      })
+    base;
+    allSecretPaths = builtins.mapAttrs (serverName: secrets:
+      lib.lists.flatten (
+        lib.attrsets.mapAttrsToList
+        (service: fileNames: builtins.map (fileName: "./hosts/by-name/${serverName}/secrets/${service}/${fileName}") fileNames)
+        secrets
+      ))
+    secrets;
+  in
+    # We should be able to merge with the `//` operator here because all attribute paths
+    # must be unique (they were files previously)
+    builtins.foldl' (acc: elem: acc // elem) {} (
+      builtins.attrValues (builtins.mapAttrs (serverName: secretPaths:
+        builtins.listToAttrs (
+          builtins.map
+          (secretPath: {
+            name = secretPath;
+            value.publicKeys = publicKeys."${serverName}";
+          })
+          secretPaths
+        ))
+      allSecretPaths)
+    );
+in
+  secrets
-- 
cgit 1.4.1