38 lines
1.7 KiB
Nix
38 lines
1.7 KiB
Nix
/*
|
|
Because I'm way too lazy I'm automatically generating the secret files config.
|
|
Secrets can be found below
|
|
hosts/${hostname}/secrets/*.age
|
|
|
|
Pubkeys can be found for the specific host below
|
|
hosts/${hostname}/ssh.pub
|
|
The users have their keys below
|
|
users/${username}/ssh.pub
|
|
|
|
Secrets get encrypted for the host they are in and the users specified.
|
|
|
|
Every host with a secrets directory has an entry for a secret called "new".
|
|
This exist to overcome the chicken and egg problem.
|
|
Create a secret with them name new in the specific secrets directory and rename it afterwards with the suffix .age.
|
|
*/
|
|
|
|
let
|
|
pubkeysFor = directory: let
|
|
instances = builtins.attrNames (builtins.readDir directory);
|
|
instancesWithPubkey = builtins.filter (i: builtins.pathExists (directory + "/${i}/ssh.pub")) instances;
|
|
in
|
|
builtins.listToAttrs (map (i: { name = i; value = builtins.readFile (directory + "/${i}/ssh.pub"); }) instancesWithPubkey);
|
|
|
|
users = pubkeysFor ./users;
|
|
hosts = pubkeysFor ./hosts;
|
|
|
|
secretsForHost = hostname: let
|
|
secretsFiles = builtins.attrNames (builtins.readDir (./hosts + "/${hostname}/secrets"));
|
|
listOfSecrets = builtins.filter (i: (builtins.stringLength i) > 4 && builtins.substring ((builtins.stringLength i) - 4) (builtins.stringLength i) i == ".age") secretsFiles;
|
|
in
|
|
if builtins.pathExists (./hosts + "/${hostname}/secrets") && builtins.pathExists (./hosts + "/${hostname}/ssh.pub") then
|
|
map (secret: { name = "hosts/${hostname}/secrets/${secret}"; value = { publicKeys = [ users.clerie hosts."${hostname}" ]; }; }) (listOfSecrets ++ [ "new" ])
|
|
else
|
|
[];
|
|
in
|
|
builtins.listToAttrs (builtins.concatMap (hostname: secretsForHost hostname) (builtins.attrNames (builtins.readDir ./hosts)))
|