diff --git a/secrets.nix b/secrets.nix index b2665f4..7957792 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,4 +1,11 @@ let + inherit (import { }) lib; + inherit (lib) + attrsets + filesystem + lists + path + ; # Nounous aeltheos_0 = "age1yubikey1qvn7t9hplvnr2w8nsfezfqudz8gq3v8sq99dkdpzmm4a74rng5qgz4v6wzt"; @@ -21,80 +28,52 @@ let # Machines - apprentix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCJV6jqQWEYuwi+OJ9r/4TbBN/cK9NvYWNiJhpFzcc7 root@apprentix"; - cephiroth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOsBGkhiu6l3jeo15cQHMu3dPyL025zXPV2ZH02EDYEt root@nixos"; - jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6jVMIZ5y2oXX9HOkw7r5UUjw95MlFaFuu7FnEC0Q8z root@jitsi"; - livre = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVfKNokHG6ig32hhQxTep+fKFmKahlDClPrX/dP4/gb root@livre"; - neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGfSvxqC2PJYRrxJaivVDujwlwCZ6AwH8hOSA9ktZ1V root@neo"; - redite = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwfVmR3NjZf6qkDlTSiyo39Up5nSNUVW7jYDWXrY8Xr root@redite"; - thot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKNg1b8ft1L55+joXQ/7Dt2QTOdkea8opTEnq4xrhPU root@thot"; - two = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpaGf8A+XWXBdNrs69RiC0qPbjPHdtkl31OjxrktmF6 root@nixos"; - vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICn6vfDlsZVU6TEWg9vTgq9+Fp3irHjytBTky7A4ErRM root@vaultwarden"; - hosts = { - inherit - apprentix - cephiroth - jitsi - livre - neo - redite - thot - two - vaultwarden - ; + apprentix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCJV6jqQWEYuwi+OJ9r/4TbBN/cK9NvYWNiJhpFzcc7 root@apprentix"; + cephiroth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOsBGkhiu6l3jeo15cQHMu3dPyL025zXPV2ZH02EDYEt root@nixos"; + jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6jVMIZ5y2oXX9HOkw7r5UUjw95MlFaFuu7FnEC0Q8z root@jitsi"; + livre = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVfKNokHG6ig32hhQxTep+fKFmKahlDClPrX/dP4/gb root@livre"; + neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGfSvxqC2PJYRrxJaivVDujwlwCZ6AwH8hOSA9ktZ1V root@neo"; + redite = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwfVmR3NjZf6qkDlTSiyo39Up5nSNUVW7jYDWXrY8Xr root@redite"; + thot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKNg1b8ft1L55+joXQ/7Dt2QTOdkea8opTEnq4xrhPU root@thot"; + two = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpaGf8A+XWXBdNrs69RiC0qPbjPHdtkl31OjxrktmF6 root@nixos"; + vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICn6vfDlsZVU6TEWg9vTgq9+Fp3irHjytBTky7A4ErRM root@vaultwarden"; }; - hostnames = [ - "apprentix" - "cephiroth" - "jitsi" - "livre" - "neo" - "redite" - "thot" - "two" - "vaultwarden" - ]; + hostnames = attrsets.mapAttrsToList (host: _: host) hosts; # Groupes - all = [ - apprentix - cephiroth - jitsi - livre - neo - thot - two - vaultwarden - ]; + all = attrsets.mapAttrsToList (_: key: key) hosts; acme = [ - jitsi - neo + hosts.jitsi + hosts.neo ]; - # Secrets - - commonSecrets = [ "restic/client_env" ]; - - acmeSecrets = [ "acme/env" ]; - # Fonctions utilitaires - remove = el: list: builtins.filter (x: el != x) list; + listFilesRelative = dir: map (p: path.removePrefix ./. p) (filesystem.listFilesRecursive dir); genAttrs = paths: groups: - builtins.foldl' ( - acc: secret: acc // { "secrets/${secret}.age".publicKeys = groups ++ nounous; } - ) { } paths; + builtins.foldl' (acc: secret: acc // { "${secret}".publicKeys = groups ++ nounous; }) { } paths; + + # Secrets + + commonSecrets = (listFilesRelative ./secrets/common) ++ [ + "./secrets/restic/client_env" + ]; + + acmeSecrets = listFilesRelative ./secrets/acme; in -(genAttrs commonSecrets (remove apprentix all)) +# Secrets communs à toutes les machines (sauf apprentix) +(genAttrs commonSecrets (lists.remove hosts.apprentix all)) +# Secrets pour ACME // (genAttrs acmeSecrets acme) +# Secrets pour restic // builtins.foldl' ( acc: name: acc @@ -104,19 +83,23 @@ in in genAttrs [ - "restic/${name}/base-repo" - "restic/${name}/base-password" + "./secrets/restic/${name}/base-repo" + "./secrets/restic/${name}/base-password" ] [ key ] ) -) { } (remove "thot" hostnames) -// builtins.mapAttrs (name: value: { publicKeys = value.publicKeys ++ nounous; }) { - "secrets/apprentix/root.age".publicKeys = [ apprentix ]; - "secrets/common/root.age".publicKeys = remove apprentix all; - "secrets/neo/appservice_irc_db_env.age".publicKeys = [ neo ]; - "secrets/neo/coturn_auth_secret.age".publicKeys = [ neo ]; - "secrets/neo/database_extra_config.age".publicKeys = [ neo ]; - "secrets/neo/note_oidc_extra_config.age".publicKeys = [ neo ]; - "secrets/neo/ldap_synapse_password.age".publicKeys = [ neo ]; - "secrets/vaultwarden/env.age".publicKeys = [ vaultwarden ]; -} +) { } (lists.remove "thot" hostnames) +// attrsets.foldlAttrs ( + outacc: host: key: + let + secrets = listFilesRelative (path.append ./secrets host); + in + outacc + // builtins.foldl' ( + acc: secret: + acc + // { + "${secret}".publicKeys = [ key ] ++ nounous; + } + ) { } secrets +) { } hosts diff --git a/secrets/acme/.gitkeep b/secrets/acme/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/apprentix/.gitkeep b/secrets/apprentix/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/cephiroth/.gitkeep b/secrets/cephiroth/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/common/.gitkeep b/secrets/common/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/jitsi/.gitkeep b/secrets/jitsi/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/livre/.gitkeep b/secrets/livre/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/neo/.gitkeep b/secrets/neo/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/redite/.gitkeep b/secrets/redite/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/restic/.gitkeep b/secrets/restic/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/thot/.gitkeep b/secrets/thot/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/two/.gitkeep b/secrets/two/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/vaultwarden/.gitkeep b/secrets/vaultwarden/.gitkeep new file mode 100644 index 0000000..e69de29