Compare commits
5 Commits
a168a18199
...
b933d7b7b7
Author | SHA1 | Date | |
---|---|---|---|
|
b933d7b7b7 | ||
|
f8e3e03987 | ||
c63a781dc6 | |||
0e00c74ba7 | |||
923229dc00 |
@ -62,7 +62,7 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
nix.package = pkgs.nixVersions.nix_2_18;
|
nix.package = lib.mkDefault pkgs.nixVersions.nix_2_18;
|
||||||
|
|
||||||
documentation.doc.enable = false;
|
documentation.doc.enable = false;
|
||||||
|
|
||||||
|
@ -7,8 +7,7 @@
|
|||||||
roboto
|
roboto
|
||||||
roboto-mono
|
roboto-mono
|
||||||
noto-fonts
|
noto-fonts
|
||||||
noto-fonts-cjk
|
|
||||||
noto-fonts-emoji
|
noto-fonts-emoji
|
||||||
comfortaa
|
comfortaa
|
||||||
];
|
] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
|
||||||
}
|
}
|
||||||
|
@ -1,37 +1,19 @@
|
|||||||
{ pkgs, lib, ... }:
|
{ pkgs, lib, ... }:
|
||||||
|
|
||||||
with lib;
|
pkgs.python313Packages.buildPythonPackage rec {
|
||||||
|
pname = "clerie-sops-config";
|
||||||
|
version = "0.0.1";
|
||||||
|
|
||||||
let
|
src = ./.;
|
||||||
hosts = builtins.attrNames (builtins.readDir ../../hosts);
|
|
||||||
|
|
||||||
mkAgeKey = hostname: ssh_pub_file:
|
format = "other";
|
||||||
pkgs.runCommand "${hostname}.age" {
|
|
||||||
buildInputs = [ pkgs.ssh-to-age ];
|
|
||||||
} ''
|
|
||||||
ssh-to-age -i ${ssh_pub_file} -o $out
|
|
||||||
'';
|
|
||||||
|
|
||||||
ageKeysForHost = hostname: let
|
propagatedBuildInputs = with pkgs; [
|
||||||
ssh_pub_file = ../../hosts + "/${hostname}/ssh.pub";
|
ssh-to-age
|
||||||
in
|
|
||||||
if builtins.pathExists ssh_pub_file then [
|
|
||||||
(fileContents (mkAgeKey hostname ssh_pub_file))
|
|
||||||
] else [];
|
|
||||||
|
|
||||||
mkCreationRules = hosts:
|
|
||||||
map (hostname: {
|
|
||||||
path_regex = escapeRegex "hosts/${hostname}/secrets.json";
|
|
||||||
key_groups = [{
|
|
||||||
pgp = [
|
|
||||||
(fileContents (pkgs.clerie-keys + "/gpg/clerie@clerie.de.fingerprint.txt"))
|
|
||||||
];
|
];
|
||||||
age = ageKeysForHost hostname;
|
|
||||||
}];
|
|
||||||
}) hosts;
|
|
||||||
|
|
||||||
sops_config = {
|
installPhase = ''
|
||||||
creation_rules = mkCreationRules hosts;
|
mkdir -p $out/bin
|
||||||
};
|
cp clerie-sops-config.py $out/bin/clerie-sops-config
|
||||||
in
|
'';
|
||||||
pkgs.writeText "sops.json" (builtins.toJSON sops_config)
|
}
|
||||||
|
55
pkgs/clerie-sops/clerie-sops-config.py
Executable file
55
pkgs/clerie-sops/clerie-sops-config.py
Executable file
@ -0,0 +1,55 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import json
|
||||||
|
from pathlib import Path
|
||||||
|
import re
|
||||||
|
import subprocess
|
||||||
|
|
||||||
|
def generate_sops_config(repo_root):
|
||||||
|
admin_keys = []
|
||||||
|
|
||||||
|
# hardcode fingerprints because we can't really generate them automatically currently
|
||||||
|
admin_keys.append("0C982F87B7AFBA0F504F90A2629E741947C87928") # clerie@clerie.de
|
||||||
|
|
||||||
|
list_of_host_directories = sorted(list(filter(lambda path_object: path_object.is_dir(), (repo_root / "hosts").iterdir())))
|
||||||
|
|
||||||
|
creation_rules = []
|
||||||
|
|
||||||
|
for host_directory in list_of_host_directories:
|
||||||
|
host_secrets_file = host_directory / "secrets.json"
|
||||||
|
host_keys = []
|
||||||
|
|
||||||
|
ssh_host_key_file = host_directory / "ssh.pub"
|
||||||
|
|
||||||
|
if ssh_host_key_file.is_file():
|
||||||
|
|
||||||
|
ssh_to_age_command = subprocess.run(["ssh-to-age", "-i", str(ssh_host_key_file)], capture_output=True, text=True)
|
||||||
|
if ssh_to_age_command.returncode == 0:
|
||||||
|
host_keys.append(ssh_to_age_command.stdout.strip())
|
||||||
|
|
||||||
|
creation_rules.append({
|
||||||
|
"key_groups": [{
|
||||||
|
"age": host_keys,
|
||||||
|
"pgp": admin_keys,
|
||||||
|
}],
|
||||||
|
"path_regex": re.escape(str(host_secrets_file)),
|
||||||
|
})
|
||||||
|
|
||||||
|
return {
|
||||||
|
"creation_rules": creation_rules,
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
if len(sys.argv) != 2:
|
||||||
|
print("No repo root specified")
|
||||||
|
exit(1)
|
||||||
|
|
||||||
|
repo_root = Path(sys.argv[1])
|
||||||
|
|
||||||
|
sops_config = generate_sops_config(repo_root)
|
||||||
|
|
||||||
|
print(json.dumps(sops_config))
|
@ -4,8 +4,13 @@ pkgs.writeShellApplication {
|
|||||||
name = "clerie-sops";
|
name = "clerie-sops";
|
||||||
runtimeInputs = with pkgs; [
|
runtimeInputs = with pkgs; [
|
||||||
sops
|
sops
|
||||||
|
clerie-sops-config
|
||||||
];
|
];
|
||||||
text = ''
|
text = ''
|
||||||
exec sops --config ${pkgs.clerie-sops-config} "$@"
|
REPO_ROOT="."
|
||||||
|
if GIT_ROOT=$(git rev-parse --show-toplevel); then
|
||||||
|
REPO_ROOT="$GIT_ROOT"
|
||||||
|
fi
|
||||||
|
exec sops --config <(clerie-sops-config "$REPO_ROOT") "$@"
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user