qo.is/infrastructure
1
0
Fork 0
Code Issues 9 Pull requests 1 Projects Releases Packages Activity Actions
infrastructure/packages/sops-config/default.nix

93 lines
2.5 KiB
Nix
Raw Normal View History

Commit files for public release
2024-10-02 15:52:04 +02:00
{
Migrate packages to use callPackage pattern
2024-10-19 18:40:58 +02:00
gnugrep,
gnupg,
lib,
runCommand,
Commit files for public release
2024-10-02 15:52:04 +02:00
self,
Migrate packages to use callPackage pattern
2024-10-19 18:40:58 +02:00
ssh-to-age,
writeText,
Commit files for public release
2024-10-02 15:52:04 +02:00
...
}:
Migrate packages to use callPackage pattern
2024-10-19 18:40:58 +02:00
with lib;
Commit files for public release
2024-10-02 15:52:04 +02:00
let
Migrate packages to use callPackage pattern
2024-10-19 18:40:58 +02:00
metaHostConfigs = import ../../defaults/meta/hosts.nix { };
Commit files for public release
2024-10-02 15:52:04 +02:00
userPgpKeys =
let
keysFolder = "${self.inputs.private}/sops_keys";
gpgFingerprintsFile =
Migrate packages to use callPackage pattern
2024-10-19 18:40:58 +02:00
runCommand "userPgpKeys"
Commit files for public release
2024-10-02 15:52:04 +02:00
{
src = keysFolder;
Migrate packages to use callPackage pattern
2024-10-19 18:40:58 +02:00
buildInputs = [
Commit files for public release
2024-10-02 15:52:04 +02:00
gnupg
gnugrep
];
}
''
echo -n "[ " > $out
for KEY in $src/*.asc; do
FINGERPRINT=`
gpg --homedir /tmp/.gnupg --with-colons --show-keys "$KEY" \
| grep ^fpr \
| grep --max-count 1 --only-matching --extended-regexp '[0-9A-Z]{40}' \
| cut -c -40
`
echo -n "\"$FINGERPRINT\" " >> $out
done
echo "]" >> $out
'';
in
import "${gpgFingerprintsFile}";
userAgeKeys = [ ];
serverAgeKeys =
let
Migrate packages to use callPackage pattern
2024-10-19 18:40:58 +02:00
getHostsWithSshKeys = filterAttrs (name: cfg: cfg ? sshKey);
mapHostToAgeKey = mapAttrs (
Commit files for public release
2024-10-02 15:52:04 +02:00
name: cfg:
Migrate packages to use callPackage pattern
2024-10-19 18:40:58 +02:00
readFile (
runCommand "sshToAgeKey"
Commit files for public release
2024-10-02 15:52:04 +02:00
{
Migrate packages to use callPackage pattern
2024-10-19 18:40:58 +02:00
buildInputs = [ ssh-to-age ];
Commit files for public release
2024-10-02 15:52:04 +02:00
}
''
echo "${cfg.sshKey}" | ssh-to-age -o $out
''
)
);
in
mapHostToAgeKey (getHostsWithSshKeys metaHostConfigs.qois.meta.hosts);
Migrate packages to use callPackage pattern
2024-10-19 18:40:58 +02:00
toCommaList = concatStringsSep ",";
Commit files for public release
2024-10-02 15:52:04 +02:00
in
Migrate packages to use callPackage pattern
2024-10-19 18:40:58 +02:00
writeText ".sops.yaml" (
Commit files for public release
2024-10-02 15:52:04 +02:00
''
# This file was generated by nix, see packages/sops-config.nix for details.
''
Migrate packages to use callPackage pattern
2024-10-19 18:40:58 +02:00
+ strings.toJSON {
keys = userPgpKeys ++ userAgeKeys ++ attrValues serverAgeKeys;
Commit files for public release
2024-10-02 15:52:04 +02:00
creation_rules =
[
# Secrets for administrators (a.k.a. passwords)
{
path_regex = "private/passwords\.sops\.(yaml|json|env|ini)$";
pgp = toCommaList userPgpKeys;
age = toCommaList userAgeKeys;
}
# Secrets for all hosts
{
path_regex = "private/nixos-configurations/secrets\.sops\.(yaml|json|env|ini)$";
pgp = toCommaList userPgpKeys;
age = toCommaList (userAgeKeys ++ builtins.attrValues serverAgeKeys);
}
]
++
# Server specific secrets
Migrate packages to use callPackage pattern
2024-10-19 18:40:58 +02:00
(mapAttrsToList (serverName: serverKey: {
Commit files for public release
2024-10-02 15:52:04 +02:00
path_regex = "private/nixos-configurations/${serverName}/secrets\.sops\.(yaml|json|env|ini)$";
pgp = toCommaList userPgpKeys;
age = toCommaList (userAgeKeys ++ [ serverKey ]);
}) serverAgeKeys);
}
)
Reference in a new issue Copy permalink