Compare commits
4 Commits
41a52d55a3
...
0220dbbcdd
Author | SHA1 | Date | |
---|---|---|---|
0220dbbcdd | |||
0ea664287b | |||
35d2b3a76c | |||
a00c276c5c |
@ -38,6 +38,7 @@
|
|||||||
group = "event";
|
group = "event";
|
||||||
modules = [
|
modules = [
|
||||||
./users/criese-nethinks
|
./users/criese-nethinks
|
||||||
|
./users/isa
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
backup-4 = { name = "backup-4"; };
|
backup-4 = { name = "backup-4"; };
|
||||||
|
@ -5,7 +5,6 @@
|
|||||||
[
|
[
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
|
||||||
./isa.nix
|
|
||||||
./users.nix
|
./users.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -1,11 +0,0 @@
|
|||||||
{ ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
users.users.isa = {
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = [ "guests" ];
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
|
67
secrets.nix
67
secrets.nix
@ -16,6 +16,15 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
let
|
let
|
||||||
|
/*
|
||||||
|
Returns an attrset for a given directory,
|
||||||
|
having the name of a subdirectory as its attribute names
|
||||||
|
and the contents of the containing ssh.pub file as their value
|
||||||
|
|
||||||
|
{
|
||||||
|
clerie = "ssh-ed25519 AAAA...";
|
||||||
|
}
|
||||||
|
*/
|
||||||
pubkeysFor = directory: let
|
pubkeysFor = directory: let
|
||||||
instances = builtins.attrNames (builtins.readDir directory);
|
instances = builtins.attrNames (builtins.readDir directory);
|
||||||
instancesWithPubkey = builtins.filter (i: builtins.pathExists (directory + "/${i}/ssh.pub")) instances;
|
instancesWithPubkey = builtins.filter (i: builtins.pathExists (directory + "/${i}/ssh.pub")) instances;
|
||||||
@ -25,13 +34,63 @@ let
|
|||||||
users = pubkeysFor ./users;
|
users = pubkeysFor ./users;
|
||||||
hosts = pubkeysFor ./hosts;
|
hosts = pubkeysFor ./hosts;
|
||||||
|
|
||||||
|
/*
|
||||||
|
Returns secret configuration for a given hostname
|
||||||
|
*/
|
||||||
secretsForHost = hostname: let
|
secretsForHost = hostname: let
|
||||||
|
/*
|
||||||
|
Returns a list of all file names in the secrets directory of the specified host
|
||||||
|
*/
|
||||||
secretsFiles = builtins.attrNames (builtins.readDir (./hosts + "/${hostname}/secrets"));
|
secretsFiles = builtins.attrNames (builtins.readDir (./hosts + "/${hostname}/secrets"));
|
||||||
listOfSecrets = builtins.filter (i: (builtins.stringLength i) > 4 && builtins.substring ((builtins.stringLength i) - 4) (builtins.stringLength i) i == ".age") secretsFiles;
|
|
||||||
|
/*
|
||||||
|
Returns all file names that end with .age
|
||||||
|
*/
|
||||||
|
listOfSecrets = builtins.filter (i:
|
||||||
|
# Make sure the file name is longer than the file extension
|
||||||
|
(builtins.stringLength i) > 4
|
||||||
|
# Take the last four letters of the file name and check if it is .age
|
||||||
|
&& builtins.substring ((builtins.stringLength i) - 4) (builtins.stringLength i) i == ".age"
|
||||||
|
) secretsFiles;
|
||||||
|
|
||||||
in
|
in
|
||||||
if builtins.pathExists (./hosts + "/${hostname}/secrets") && builtins.pathExists (./hosts + "/${hostname}/ssh.pub") then
|
if
|
||||||
map (secret: { name = "hosts/${hostname}/secrets/${secret}"; value = { publicKeys = [ users.clerie hosts."${hostname}" ]; }; }) (listOfSecrets ++ [ "new" ])
|
# Make sure the host has a secrets directory
|
||||||
|
builtins.pathExists (./hosts + "/${hostname}/secrets")
|
||||||
|
# Make sure the host has a public ssh key provided
|
||||||
|
&& builtins.pathExists (./hosts + "/${hostname}/ssh.pub")
|
||||||
|
then
|
||||||
|
/*
|
||||||
|
This map specifies all public keys for which a given secret file should be encrypted
|
||||||
|
It returns a list of name value pairs
|
||||||
|
The name is the path to the secret file
|
||||||
|
The value is an attribute set containing a list of public keys as a string
|
||||||
|
*/
|
||||||
|
map
|
||||||
|
(secret: {
|
||||||
|
name = "hosts/${hostname}/secrets/${secret}";
|
||||||
|
value = {
|
||||||
|
publicKeys = [
|
||||||
|
# Hardcode clerie's public key here
|
||||||
|
users.clerie
|
||||||
|
# No other user should have access to any secrets
|
||||||
|
|
||||||
|
# A host should only have access to their own secrets
|
||||||
|
hosts."${hostname}"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
})
|
||||||
|
# All file names of already existing secrets plus the magic "new" secret
|
||||||
|
(listOfSecrets ++ [ "new" ])
|
||||||
else
|
else
|
||||||
|
# Answer with an empty list, if no secrets are provided for a host
|
||||||
[];
|
[];
|
||||||
in
|
in
|
||||||
builtins.listToAttrs (builtins.concatMap (hostname: secretsForHost hostname) (builtins.attrNames (builtins.readDir ./hosts)))
|
# We just have a list of name value pairs that need to get transformed into an attribute set
|
||||||
|
builtins.listToAttrs (
|
||||||
|
builtins.concatMap
|
||||||
|
# Provide a list of secrets for a given hostname
|
||||||
|
(hostname: secretsForHost hostname)
|
||||||
|
# Names of all hosts
|
||||||
|
(builtins.attrNames (builtins.readDir ./hosts))
|
||||||
|
)
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
users.users.criese-nethinks = {
|
users.users.criese-nethinks = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
(builtins.readFile ./ssh-criese.pub)
|
(builtins.readFile ./ssh.pub)
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
10
users/isa/default.nix
Normal file
10
users/isa/default.nix
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
{ ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
users.users.isa = {
|
||||||
|
isNormalUser = true;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
(builtins.readFile ./ssh.pub)
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
1
users/isa/ssh.pub
Normal file
1
users/isa/ssh.pub
Normal file
@ -0,0 +1 @@
|
|||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e
|
Loading…
Reference in New Issue
Block a user