nixfiles/pkgs/clerie-sops/clerie-sops-config.nix

{ pkgs, lib, ... }:

with lib;

let
  hosts = builtins.attrNames (builtins.readDir ../../hosts);

  mkAgeKey = hostname: ssh_pub_file:
    pkgs.runCommand "${hostname}.age" {
      buildInputs = [ pkgs.ssh-to-age ];
    } ''
      ssh-to-age -i ${ssh_pub_file} -o $out
    '';

  ageKeysForHost = hostname: let
    ssh_pub_file = ../../hosts + "/${hostname}/ssh.pub";
  in
    if builtins.pathExists ssh_pub_file then [
      (fileContents (mkAgeKey hostname ssh_pub_file))
    ] else [];

  mkCreationRules = hosts:
    map (hostname: {
      path_regex = escapeRegex "hosts/${hostname}/secrets.json";
      key_groups = [{
        pgp = [
          (fileContents (pkgs.clerie-keys + "/gpg/clerie@clerie.de.fingerprint.txt"))
        ];
        age = ageKeysForHost hostname;
      }];
    }) hosts;

  sops_config = {
    creation_rules = mkCreationRules hosts;
  };
in
  pkgs.writeText "sops.json" (builtins.toJSON sops_config)
pkgs/clerie-sops: Init sops 2024-04-20 23:20:14 +02:00			`{ pkgs, lib, ... }:`

			`with lib;`

			`let`
			`hosts = builtins.attrNames (builtins.readDir ../../hosts);`

			`mkAgeKey = hostname: ssh_pub_file:`
			`pkgs.runCommand "${hostname}.age" {`
			`buildInputs = [ pkgs.ssh-to-age ];`
			`} ''`
			`ssh-to-age -i ${ssh_pub_file} -o $out`
			`'';`

			`ageKeysForHost = hostname: let`
			`ssh_pub_file = ../../hosts + "/${hostname}/ssh.pub";`
			`in`
			`if builtins.pathExists ssh_pub_file then [`
			`(fileContents (mkAgeKey hostname ssh_pub_file))`
			`] else [];`

			`mkCreationRules = hosts:`
			`map (hostname: {`
			`path_regex = escapeRegex "hosts/${hostname}/secrets.json";`
			`key_groups = [{`
			`pgp = [`
			`(fileContents (pkgs.clerie-keys + "/gpg/clerie@clerie.de.fingerprint.txt"))`
			`];`
			`age = ageKeysForHost hostname;`
			`}];`
			`}) hosts;`

			`sops_config = {`
			`creation_rules = mkCreationRules hosts;`
			`};`
			`in`
			`pkgs.writeText "sops.json" (builtins.toJSON sops_config)`