2024-10-02 15:52:04 +02:00
|
|
|
{
|
2024-10-19 18:40:58 +02:00
|
|
|
gnugrep,
|
|
|
|
gnupg,
|
|
|
|
lib,
|
|
|
|
runCommand,
|
2024-10-02 15:52:04 +02:00
|
|
|
self,
|
2024-10-19 18:40:58 +02:00
|
|
|
ssh-to-age,
|
|
|
|
writeText,
|
2024-10-02 15:52:04 +02:00
|
|
|
...
|
|
|
|
}:
|
2024-10-19 18:40:58 +02:00
|
|
|
with lib;
|
2024-10-02 15:52:04 +02:00
|
|
|
let
|
2024-10-19 18:40:58 +02:00
|
|
|
metaHostConfigs = import ../../defaults/meta/hosts.nix { };
|
2024-10-02 15:52:04 +02:00
|
|
|
userPgpKeys =
|
|
|
|
let
|
|
|
|
keysFolder = "${self.inputs.private}/sops_keys";
|
|
|
|
gpgFingerprintsFile =
|
2024-10-19 18:40:58 +02:00
|
|
|
runCommand "userPgpKeys"
|
2024-10-02 15:52:04 +02:00
|
|
|
{
|
|
|
|
src = keysFolder;
|
2024-10-19 18:40:58 +02:00
|
|
|
buildInputs = [
|
2024-10-02 15:52:04 +02:00
|
|
|
gnupg
|
|
|
|
gnugrep
|
|
|
|
];
|
|
|
|
}
|
|
|
|
''
|
|
|
|
echo -n "[ " > $out
|
|
|
|
for KEY in $src/*.asc; do
|
|
|
|
FINGERPRINT=`
|
|
|
|
gpg --homedir /tmp/.gnupg --with-colons --show-keys "$KEY" \
|
|
|
|
| grep ^fpr \
|
|
|
|
| grep --max-count 1 --only-matching --extended-regexp '[0-9A-Z]{40}' \
|
|
|
|
| cut -c -40
|
|
|
|
`
|
|
|
|
echo -n "\"$FINGERPRINT\" " >> $out
|
|
|
|
done
|
|
|
|
echo "]" >> $out
|
|
|
|
'';
|
|
|
|
in
|
|
|
|
import "${gpgFingerprintsFile}";
|
|
|
|
userAgeKeys = [ ];
|
|
|
|
serverAgeKeys =
|
|
|
|
let
|
2024-10-19 18:40:58 +02:00
|
|
|
getHostsWithSshKeys = filterAttrs (name: cfg: cfg ? sshKey);
|
|
|
|
mapHostToAgeKey = mapAttrs (
|
2024-10-02 15:52:04 +02:00
|
|
|
name: cfg:
|
2024-10-19 18:40:58 +02:00
|
|
|
readFile (
|
|
|
|
runCommand "sshToAgeKey"
|
2024-10-02 15:52:04 +02:00
|
|
|
{
|
2024-10-19 18:40:58 +02:00
|
|
|
buildInputs = [ ssh-to-age ];
|
2024-10-02 15:52:04 +02:00
|
|
|
}
|
|
|
|
''
|
|
|
|
echo "${cfg.sshKey}" | ssh-to-age -o $out
|
|
|
|
''
|
|
|
|
)
|
|
|
|
);
|
|
|
|
in
|
|
|
|
mapHostToAgeKey (getHostsWithSshKeys metaHostConfigs.qois.meta.hosts);
|
2024-10-19 18:40:58 +02:00
|
|
|
toCommaList = concatStringsSep ",";
|
2024-10-02 15:52:04 +02:00
|
|
|
in
|
2024-10-19 18:40:58 +02:00
|
|
|
writeText ".sops.yaml" (
|
2024-10-02 15:52:04 +02:00
|
|
|
''
|
|
|
|
# This file was generated by nix, see packages/sops-config.nix for details.
|
|
|
|
''
|
2024-10-19 18:40:58 +02:00
|
|
|
+ strings.toJSON {
|
|
|
|
keys = userPgpKeys ++ userAgeKeys ++ attrValues serverAgeKeys;
|
2024-10-02 15:52:04 +02:00
|
|
|
creation_rules =
|
|
|
|
[
|
|
|
|
# Secrets for administrators (a.k.a. passwords)
|
|
|
|
{
|
|
|
|
path_regex = "private/passwords\.sops\.(yaml|json|env|ini)$";
|
|
|
|
pgp = toCommaList userPgpKeys;
|
|
|
|
age = toCommaList userAgeKeys;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Secrets for all hosts
|
|
|
|
{
|
|
|
|
path_regex = "private/nixos-configurations/secrets\.sops\.(yaml|json|env|ini)$";
|
|
|
|
pgp = toCommaList userPgpKeys;
|
|
|
|
age = toCommaList (userAgeKeys ++ builtins.attrValues serverAgeKeys);
|
|
|
|
}
|
|
|
|
]
|
|
|
|
++
|
|
|
|
|
|
|
|
# Server specific secrets
|
2024-10-19 18:40:58 +02:00
|
|
|
(mapAttrsToList (serverName: serverKey: {
|
2024-10-02 15:52:04 +02:00
|
|
|
path_regex = "private/nixos-configurations/${serverName}/secrets\.sops\.(yaml|json|env|ini)$";
|
|
|
|
pgp = toCommaList userPgpKeys;
|
|
|
|
age = toCommaList (userAgeKeys ++ [ serverKey ]);
|
|
|
|
}) serverAgeKeys);
|
|
|
|
}
|
|
|
|
)
|