diff options
Diffstat (limited to 'secrets.nix')
-rw-r--r-- | secrets.nix | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..1a625d3 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,59 @@ +# { pkgs ? import <nixpkgs> {} }: + +# taken from +# https://git.clerie.de/clerie/nixfiles/src/branch/master/secrets.nix + +# nix eval --impure --expr 'import ./secrets.nix' + +let + pubkeysFor = directory: + let + instances = builtins.attrNames (builtins.readDir directory); + instancesWithPubkey = builtins.filter (i: builtins.pathExists (directory + "/${i}/ssh.pub")) instances; + in + builtins.listToAttrs ( + # map (i: { name = i; value = builtins.readFile (directory + "/${i}/ssh.pub"); } + map (i: { + name = i; + value = (import (directory + "/${i}/")).sshKey; + } + ) instancesWithPubkey); + + hosts = pubkeysFor ./nix/hosts; + users = pubkeysFor ./nix/users; + + secretsForHost = hostname: let + + secretFiles = builtins.attrNames + (builtins.readDir (./nix/hosts + "/${hostname}/secrets")); + + listOfSecrets = builtins.filter (i: + (builtins.stringLength i) > 4 + && builtins.substring ((builtins.stringLength i) - 4) + (builtins.stringLength i) i == ".age" + ) secretFiles; + + in + if + builtins.pathExists (./nix/hosts + "/${hostname}/secrets") + && builtins.pathExists (./nix/hosts + "/${hostname}/ssh.pub") + then + map + (secret: { + name = "nix/hosts/${hostname}/secrets/${secret}"; + value = { + publicKeys = [ + users.emile + hosts."${hostname}" + ]; + }; + }) + (listOfSecrets ++ [ "new" ]) + else + []; +in + builtins.listToAttrs ( + builtins.concatMap + (hostname: secretsForHost hostname) + (builtins.attrNames (builtins.readDir ./nix/hosts)) + ) |