infrastructure/packages/sops-config/default.nix

{
  gnugrep,
  gnupg,
  lib,
  runCommand,
  self,
  ssh-to-age,
  writeText,
  ...
}:
with lib;
let
  metaHostConfigs = import ../../defaults/meta/hosts.nix { };
  userPgpKeys =
    let
      keysFolder = "${self.inputs.private}/sops_keys";
      gpgFingerprintsFile =
        runCommand "userPgpKeys"
          {
            src = keysFolder;
            buildInputs = [
              gnupg
              gnugrep
            ];
          }
          ''
            echo -n "[ " > $out
            for KEY in $src/*.asc; do
              FINGERPRINT=`
                gpg --homedir /tmp/.gnupg --with-colons --show-keys "$KEY" \
                  | grep ^fpr \
                  | grep --max-count 1 --only-matching --extended-regexp '[0-9A-Z]{40}' \
                  | cut -c -40
                `
              echo -n "\"$FINGERPRINT\" " >> $out
            done
            echo "]" >> $out
          '';
    in
    import "${gpgFingerprintsFile}";
  userAgeKeys = [ ];
  serverAgeKeys =
    let
      getHostsWithSshKeys = filterAttrs (name: cfg: cfg ? sshKey);
      mapHostToAgeKey = mapAttrs (
        name: cfg:
        readFile (
          runCommand "sshToAgeKey"
            {
              buildInputs = [ ssh-to-age ];
            }
            ''
              echo "${cfg.sshKey}" | ssh-to-age -o $out
            ''
        )
      );
    in
    mapHostToAgeKey (getHostsWithSshKeys metaHostConfigs.qois.meta.hosts);
  toCommaList = concatStringsSep ",";
in
writeText ".sops.yaml" (
  ''
    # This file was generated by nix, see packages/sops-config.nix for details.
  ''
  + strings.toJSON {
    keys = userPgpKeys ++ userAgeKeys ++ attrValues serverAgeKeys;
    creation_rules =
      [
        # Secrets for administrators (a.k.a. passwords)
        {
          path_regex = "private/passwords\.sops\.(yaml|json|env|ini)$";
          pgp = toCommaList userPgpKeys;
          age = toCommaList userAgeKeys;
        }

        # Secrets for all hosts
        {
          path_regex = "private/nixos-configurations/secrets\.sops\.(yaml|json|env|ini)$";
          pgp = toCommaList userPgpKeys;
          age = toCommaList (userAgeKeys ++ builtins.attrValues serverAgeKeys);
        }
      ]
      ++

      # Server specific secrets
      (mapAttrsToList (serverName: serverKey: {
        path_regex = "private/nixos-configurations/${serverName}/secrets\.sops\.(yaml|json|env|ini)$";
        pgp = toCommaList userPgpKeys;
        age = toCommaList (userAgeKeys ++ [ serverKey ]);
      }) serverAgeKeys);
  }
)