1
0
nixfiles/secrets.nix

38 lines
1.7 KiB
Nix
Raw Normal View History

2023-05-01 15:19:59 +02:00
/*
Because I'm way too lazy I'm automatically generating the secret files config.
Secrets can be found below
hosts/${hostname}/secrets/*.age
Pubkeys can be found for the specific host below
hosts/${hostname}/ssh.pub
The users have their keys below
users/${username}/ssh.pub
Secrets get encrypted for the host they are in and the users specified.
Every host with a secrets directory has an entry for a secret called "new".
This exist to overcome the chicken and egg problem.
Create a secret with them name new in the specific secrets directory and rename it afterwards with the suffix .age.
*/
2023-05-01 11:37:33 +02:00
let
pubkeysFor = directory: let
instances = builtins.attrNames (builtins.readDir directory);
instancesWithPubkey = builtins.filter (i: builtins.pathExists (directory + "/${i}/ssh.pub")) instances;
in
builtins.listToAttrs (map (i: { name = i; value = builtins.readFile (directory + "/${i}/ssh.pub"); }) instancesWithPubkey);
users = pubkeysFor ./users;
hosts = pubkeysFor ./hosts;
secretsForHost = hostname: let
secretsFiles = builtins.attrNames (builtins.readDir (./hosts + "/${hostname}/secrets"));
listOfSecrets = builtins.filter (i: (builtins.stringLength i) > 4 && builtins.substring ((builtins.stringLength i) - 4) (builtins.stringLength i) i == ".age") secretsFiles;
in
if builtins.pathExists (./hosts + "/${hostname}/secrets") && builtins.pathExists (./hosts + "/${hostname}/ssh.pub") then
map (secret: { name = "hosts/${hostname}/secrets/${secret}"; value = { publicKeys = [ users.clerie hosts."${hostname}" ]; }; }) (listOfSecrets ++ [ "new" ])
else
[];
in
builtins.listToAttrs (builtins.concatMap (hostname: secretsForHost hostname) (builtins.attrNames (builtins.readDir ./hosts)))