blob: 8ad8eb7c2039a285b5e3ef1cacf475c437e8ae13 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
# { pkgs ? import <nixpkgs> {} }:
# taken from
# https://git.clerie.de/clerie/nixfiles/src/branch/master/secrets.nix
# nix eval --impure --expr 'import ./secrets.nix'
# As we're generating the secret.nix, we have a bootstrapping problem:
# agenix assumes that the to be generated secret is present in the
# secret.nix file, but we've not created it yet.
# Due to this, we've got a "new" file in the secrets directory that can be used
# and renamed afterwards
let
pubkeysFor =
directory:
let
instances = builtins.attrNames (builtins.readDir directory);
instancesWithPubkey = builtins.filter (
i: builtins.pathExists (directory + "/${i}/ssh.pub")
) instances;
in
builtins.listToAttrs (
# map (i: { name = i; value = builtins.readFile (directory + "/${i}/ssh.pub"); }
map (i: {
name = i;
value = (import (directory + "/${i}/")).sshKey;
}) instancesWithPubkey
);
hosts = pubkeysFor ./nix/hosts;
users = pubkeysFor ./nix/users;
secretsForHost =
hostname:
let
secretFiles = builtins.attrNames (builtins.readDir (./nix/hosts + "/${hostname}/secrets"));
listOfSecrets = builtins.filter (
i:
(builtins.stringLength i) > 4
&& builtins.substring ((builtins.stringLength i) - 4) (builtins.stringLength i) i == ".age"
) secretFiles;
in
if
builtins.pathExists (./nix/hosts + "/${hostname}/secrets")
&& builtins.pathExists (./nix/hosts + "/${hostname}/ssh.pub")
then
map (secret: {
name = "nix/hosts/${hostname}/secrets/${secret}";
value = {
publicKeys = [
users.emile
hosts."${hostname}"
];
};
}) (listOfSecrets ++ [ "new" ])
else
[ ];
in
builtins.listToAttrs (
builtins.concatMap (hostname: secretsForHost hostname) (
builtins.attrNames (builtins.readDir ./nix/hosts)
)
)
|
