infrastructure/packages/sops-config.nix

{
  pkgs,
  self,
  system,
  ...
}:
let
  metaHostConfigs = import ../defaults/meta/hosts.nix { inherit pkgs; };
  userPgpKeys =
    let
      keysFolder = "${self.inputs.private}/sops_keys";
      gpgFingerprintsFile =
        pkgs.runCommand "userPgpKeys"
          {
            src = keysFolder;
            buildInputs = with pkgs; [
              gnupg
              gnugrep
            ];
          }
          ''
            echo -n "[ " > $out
            for KEY in $src/*.asc; do
              FINGERPRINT=`
                gpg --homedir /tmp/.gnupg --with-colons --show-keys "$KEY" \
                  | grep ^fpr \
                  | grep --max-count 1 --only-matching --extended-regexp '[0-9A-Z]{40}' \
                  | cut -c -40
                `
              echo -n "\"$FINGERPRINT\" " >> $out
            done
            echo "]" >> $out
          '';
    in
    import "${gpgFingerprintsFile}";
  userAgeKeys = [ ];
  serverAgeKeys =
    let
      getHostsWithSshKeys = pkgs.lib.filterAttrs (name: cfg: cfg ? sshKey);
      mapHostToAgeKey = builtins.mapAttrs (
        name: cfg:
        pkgs.lib.readFile (
          pkgs.runCommand "sshToAgeKey"
            {
              buildInputs = [ pkgs.ssh-to-age ];
            }
            ''
              echo "${cfg.sshKey}" | ssh-to-age -o $out
            ''
        )
      );
    in
    mapHostToAgeKey (getHostsWithSshKeys metaHostConfigs.qois.meta.hosts);
  toCommaList = builtins.concatStringsSep ",";
in
pkgs.writeText ".sops.yaml" (
  ''
    # This file was generated by nix, see packages/sops-config.nix for details.
  ''
  + builtins.toJSON {
    keys = userPgpKeys ++ userAgeKeys ++ builtins.attrValues serverAgeKeys;
    creation_rules =
      [
        # Secrets for administrators (a.k.a. passwords)
        {
          path_regex = "private/passwords\.sops\.(yaml|json|env|ini)$";
          pgp = toCommaList userPgpKeys;
          age = toCommaList userAgeKeys;
        }

        # Secrets for all hosts
        {
          path_regex = "private/nixos-configurations/secrets\.sops\.(yaml|json|env|ini)$";
          pgp = toCommaList userPgpKeys;
          age = toCommaList (userAgeKeys ++ builtins.attrValues serverAgeKeys);
        }
      ]
      ++

      # Server specific secrets
      (pkgs.lib.mapAttrsToList (serverName: serverKey: {
        path_regex = "private/nixos-configurations/${serverName}/secrets\.sops\.(yaml|json|env|ini)$";
        pgp = toCommaList userPgpKeys;
        age = toCommaList (userAgeKeys ++ [ serverKey ]);
      }) serverAgeKeys);
  }
)
Commit files for public release 2024-10-02 15:52:04 +02:00			`{`
			`pkgs,`
			`self,`
			`system,`
			`...`
			`}:`
			`let`
			`metaHostConfigs = import ../defaults/meta/hosts.nix { inherit pkgs; };`
			`userPgpKeys =`
			`let`
			`keysFolder = "${self.inputs.private}/sops_keys";`
			`gpgFingerprintsFile =`
			`pkgs.runCommand "userPgpKeys"`
			`{`
			`src = keysFolder;`
			`buildInputs = with pkgs; [`
			`gnupg`
			`gnugrep`
			`];`
			`}`
			`''`
			`echo -n "[ " > $out`
			`for KEY in $src/*.asc; do`
			FINGERPRINT=`
			`gpg --homedir /tmp/.gnupg --with-colons --show-keys "$KEY" \`
			`\| grep ^fpr \`
			`\| grep --max-count 1 --only-matching --extended-regexp '[0-9A-Z]{40}' \`
			`\| cut -c -40`
			`
			`echo -n "\"$FINGERPRINT\" " >> $out`
			`done`
			`echo "]" >> $out`
			`'';`
			`in`
			`import "${gpgFingerprintsFile}";`
			`userAgeKeys = [ ];`
			`serverAgeKeys =`
			`let`
			`getHostsWithSshKeys = pkgs.lib.filterAttrs (name: cfg: cfg ? sshKey);`
			`mapHostToAgeKey = builtins.mapAttrs (`
			`name: cfg:`
			`pkgs.lib.readFile (`
			`pkgs.runCommand "sshToAgeKey"`
			`{`
			`buildInputs = [ pkgs.ssh-to-age ];`
			`}`
			`''`
			`echo "${cfg.sshKey}" \| ssh-to-age -o $out`
			`''`
			`)`
			`);`
			`in`
			`mapHostToAgeKey (getHostsWithSshKeys metaHostConfigs.qois.meta.hosts);`
			`toCommaList = builtins.concatStringsSep ",";`
			`in`
			`pkgs.writeText ".sops.yaml" (`
			`''`
			`# This file was generated by nix, see packages/sops-config.nix for details.`
			`''`
			`+ builtins.toJSON {`
			`keys = userPgpKeys ++ userAgeKeys ++ builtins.attrValues serverAgeKeys;`
			`creation_rules =`
			`[`
			`# Secrets for administrators (a.k.a. passwords)`
			`{`
			`path_regex = "private/passwords\.sops\.(yaml\|json\|env\|ini)$";`
			`pgp = toCommaList userPgpKeys;`
			`age = toCommaList userAgeKeys;`
			`}`

			`# Secrets for all hosts`
			`{`
			`path_regex = "private/nixos-configurations/secrets\.sops\.(yaml\|json\|env\|ini)$";`
			`pgp = toCommaList userPgpKeys;`
			`age = toCommaList (userAgeKeys ++ builtins.attrValues serverAgeKeys);`
			`}`
			`]`
			`++`

			`# Server specific secrets`
			`(pkgs.lib.mapAttrsToList (serverName: serverKey: {`
			`path_regex = "private/nixos-configurations/${serverName}/secrets\.sops\.(yaml\|json\|env\|ini)$";`
			`pgp = toCommaList userPgpKeys;`
			`age = toCommaList (userAgeKeys ++ [ serverKey ]);`
			`}) serverAgeKeys);`
			`}`
			`)`