38 lines
931 B
Nix
38 lines
931 B
Nix
{ pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
hosts = builtins.attrNames (builtins.readDir ../../hosts);
|
|
|
|
mkAgeKey = hostname: ssh_pub_file:
|
|
pkgs.runCommand "${hostname}.age" {
|
|
buildInputs = [ pkgs.ssh-to-age ];
|
|
} ''
|
|
ssh-to-age -i ${ssh_pub_file} -o $out
|
|
'';
|
|
|
|
ageKeysForHost = hostname: let
|
|
ssh_pub_file = ../../hosts + "/${hostname}/ssh.pub";
|
|
in
|
|
if builtins.pathExists ssh_pub_file then [
|
|
(fileContents (mkAgeKey hostname ssh_pub_file))
|
|
] else [];
|
|
|
|
mkCreationRules = hosts:
|
|
map (hostname: {
|
|
path_regex = escapeRegex "hosts/${hostname}/secrets.json";
|
|
key_groups = [{
|
|
pgp = [
|
|
(fileContents (pkgs.clerie-keys + "/gpg/clerie@clerie.de.fingerprint.txt"))
|
|
];
|
|
age = ageKeysForHost hostname;
|
|
}];
|
|
}) hosts;
|
|
|
|
sops_config = {
|
|
creation_rules = mkCreationRules hosts;
|
|
};
|
|
in
|
|
pkgs.writeText "sops.json" (builtins.toJSON sops_config)
|