Migrate packages to use callPackage pattern

2024-10-19 19:40:58 +03:00 · 2024-10-19 19:40:58 +03:00 · 15ece3585e
commit 15ece3585e
parent 478b8903e0
11 changed files with 92 additions and 62 deletions
--- a/packages/sops-config/default.nix
+++ b/packages/sops-config/default.nix
@ -0,0 +1,92 @@
+{
+  gnugrep,
+  gnupg,
+  lib,
+  runCommand,
+  self,
+  ssh-to-age,
+  writeText,
+  ...
+}:
+with lib;
+let
+  metaHostConfigs = import ../../defaults/meta/hosts.nix { };
+  userPgpKeys =
+    let
+      keysFolder = "${self.inputs.private}/sops_keys";
+      gpgFingerprintsFile =
+        runCommand "userPgpKeys"
+          {
+            src = keysFolder;
+            buildInputs = [
+              gnupg
+              gnugrep
+            ];
+          }
+          ''
+            echo -n "[ " > $out
+            for KEY in $src/*.asc; do
+              FINGERPRINT=`
+                gpg --homedir /tmp/.gnupg --with-colons --show-keys "$KEY" \
+                  | grep ^fpr \
+                  | grep --max-count 1 --only-matching --extended-regexp '[0-9A-Z]{40}' \
+                  | cut -c -40
+                `
+              echo -n "\"$FINGERPRINT\" " >> $out
+            done
+            echo "]" >> $out
+          '';
+    in
+    import "${gpgFingerprintsFile}";
+  userAgeKeys = [ ];
+  serverAgeKeys =
+    let
+      getHostsWithSshKeys = filterAttrs (name: cfg: cfg ? sshKey);
+      mapHostToAgeKey = mapAttrs (
+        name: cfg:
+        readFile (
+          runCommand "sshToAgeKey"
+            {
+              buildInputs = [ ssh-to-age ];
+            }
+            ''
+              echo "${cfg.sshKey}" | ssh-to-age -o $out
+            ''
+        )
+      );
+    in
+    mapHostToAgeKey (getHostsWithSshKeys metaHostConfigs.qois.meta.hosts);
+  toCommaList = concatStringsSep ",";
+in
+writeText ".sops.yaml" (
+  ''
+    # This file was generated by nix, see packages/sops-config.nix for details.
+  ''
+  + strings.toJSON {
+    keys = userPgpKeys ++ userAgeKeys ++ attrValues serverAgeKeys;
+    creation_rules =
+      [
+        # Secrets for administrators (a.k.a. passwords)
+        {
+          path_regex = "private/passwords\.sops\.(yaml|json|env|ini)$";
+          pgp = toCommaList userPgpKeys;
+          age = toCommaList userAgeKeys;
+        }
+
+        # Secrets for all hosts
+        {
+          path_regex = "private/nixos-configurations/secrets\.sops\.(yaml|json|env|ini)$";
+          pgp = toCommaList userPgpKeys;
+          age = toCommaList (userAgeKeys ++ builtins.attrValues serverAgeKeys);
+        }
+      ]
+      ++
+
+      # Server specific secrets
+      (mapAttrsToList (serverName: serverKey: {
+        path_regex = "private/nixos-configurations/${serverName}/secrets\.sops\.(yaml|json|env|ini)$";
+        pgp = toCommaList userPgpKeys;
+        age = toCommaList (userAgeKeys ++ [ serverKey ]);
+      }) serverAgeKeys);
+  }
+)