clerie/nixfiles
1
0
Fork 0
Code

secrets: automatically detect and configure secrets

Browse Source
This commit is contained in:
clerie 2023-05-01 15:08:54 +02:00
parent ad3d98f637
commit 1b8b074dc5
2 changed files with 20 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/clerie-backup/ssh.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsTlqDyK726hwhX8lbs9EhMrkf3LsKIm5Ya3k39C7VZ

28
secrets.nix
View File

@ -1,10 +1,20 @@
let
users = {
clerie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzEQEWeunhkzP+invKjdsZe4rbUloixa374bYEhBSA5 clerie_id";
};
hosts = {
clerie-backup = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsTlqDyK726hwhX8lbs9EhMrkf3LsKIm5Ya3k39C7VZ";
};
in {
"hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age".publicKeys = [ users.clerie hosts.clerie-backup ];
}
pubkeysFor = directory: let
instances = builtins.attrNames (builtins.readDir directory);
instancesWithPubkey = builtins.filter (i: builtins.pathExists (directory + "/${i}/ssh.pub")) instances;
in
builtins.listToAttrs (map (i: { name = i; value = builtins.readFile (directory + "/${i}/ssh.pub"); }) instancesWithPubkey);
users = pubkeysFor ./users;
hosts = pubkeysFor ./hosts;
secretsForHost = hostname: let
secretsFiles = builtins.attrNames (builtins.readDir (./hosts + "/${hostname}/secrets"));
listOfSecrets = builtins.filter (i: (builtins.stringLength i) > 4 && builtins.substring ((builtins.stringLength i) - 4) (builtins.stringLength i) i == ".age") secretsFiles;
in
if builtins.pathExists (./hosts + "/${hostname}/secrets") && builtins.pathExists (./hosts + "/${hostname}/ssh.pub") then
map (secret: { name = "hosts/${hostname}/secrets/${secret}"; value = { publicKeys = [ users.clerie hosts."${hostname}" ]; }; }) (listOfSecrets ++ [ "new" ])
else
[];
in
builtins.listToAttrs (builtins.concatMap (hostname: secretsForHost hostname) (builtins.attrNames (builtins.readDir ./hosts)))