crans
/
nixos
mirror of https://gitlab.crans.org/nounous/nixos
19
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Simplification de secrets.nix

merge-requests/14/head
RatCornu 2025-06-08 17:02:08 +02:00
parent cedff82836
commit 2136a2a1b2
No known key found for this signature in database
GPG Key ID: B3BE02E379E6E8E2
13 changed files with 51 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
secrets.nix
View File

@ -1,4 +1,11 @@
let let
inherit (import <nixpkgs> { }) lib;
inherit (lib)
attrsets
filesystem
lists
path
;
# Nounous # Nounous
aeltheos_0 = "age1yubikey1qvn7t9hplvnr2w8nsfezfqudz8gq3v8sq99dkdpzmm4a74rng5qgz4v6wzt"; aeltheos_0 = "age1yubikey1qvn7t9hplvnr2w8nsfezfqudz8gq3v8sq99dkdpzmm4a74rng5qgz4v6wzt";
@ -21,80 +28,52 @@ let
# Machines # Machines
apprentix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCJV6jqQWEYuwi+OJ9r/4TbBN/cK9NvYWNiJhpFzcc7 root@apprentix";
cephiroth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOsBGkhiu6l3jeo15cQHMu3dPyL025zXPV2ZH02EDYEt root@nixos";
jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6jVMIZ5y2oXX9HOkw7r5UUjw95MlFaFuu7FnEC0Q8z root@jitsi";
livre = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVfKNokHG6ig32hhQxTep+fKFmKahlDClPrX/dP4/gb root@livre";
neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGfSvxqC2PJYRrxJaivVDujwlwCZ6AwH8hOSA9ktZ1V root@neo";
redite = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwfVmR3NjZf6qkDlTSiyo39Up5nSNUVW7jYDWXrY8Xr root@redite";
thot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKNg1b8ft1L55+joXQ/7Dt2QTOdkea8opTEnq4xrhPU root@thot";
two = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpaGf8A+XWXBdNrs69RiC0qPbjPHdtkl31OjxrktmF6 root@nixos";
vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICn6vfDlsZVU6TEWg9vTgq9+Fp3irHjytBTky7A4ErRM root@vaultwarden";
hosts = { hosts = {
inherit apprentix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCJV6jqQWEYuwi+OJ9r/4TbBN/cK9NvYWNiJhpFzcc7 root@apprentix";
apprentix cephiroth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOsBGkhiu6l3jeo15cQHMu3dPyL025zXPV2ZH02EDYEt root@nixos";
cephiroth jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6jVMIZ5y2oXX9HOkw7r5UUjw95MlFaFuu7FnEC0Q8z root@jitsi";
jitsi livre = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVfKNokHG6ig32hhQxTep+fKFmKahlDClPrX/dP4/gb root@livre";
livre neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGfSvxqC2PJYRrxJaivVDujwlwCZ6AwH8hOSA9ktZ1V root@neo";
neo redite = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwfVmR3NjZf6qkDlTSiyo39Up5nSNUVW7jYDWXrY8Xr root@redite";
redite thot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKNg1b8ft1L55+joXQ/7Dt2QTOdkea8opTEnq4xrhPU root@thot";
thot two = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpaGf8A+XWXBdNrs69RiC0qPbjPHdtkl31OjxrktmF6 root@nixos";
two vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICn6vfDlsZVU6TEWg9vTgq9+Fp3irHjytBTky7A4ErRM root@vaultwarden";
vaultwarden
;
}; };
hostnames = [ hostnames = attrsets.mapAttrsToList (host: _: host) hosts;
"apprentix"
"cephiroth"
"jitsi"
"livre"
"neo"
"redite"
"thot"
"two"
"vaultwarden"
];
# Groupes # Groupes
all = [ all = attrsets.mapAttrsToList (_: key: key) hosts;
apprentix
cephiroth
jitsi
livre
neo
thot
two
vaultwarden
];
acme = [ acme = [
jitsi hosts.jitsi
neo hosts.neo
]; ];
# Secrets
commonSecrets = [ "restic/client_env" ];
acmeSecrets = [ "acme/env" ];
# Fonctions utilitaires # Fonctions utilitaires
remove = el: list: builtins.filter (x: el != x) list; listFilesRelative = dir: map (p: path.removePrefix ./. p) (filesystem.listFilesRecursive dir);
genAttrs = genAttrs =
paths: groups: paths: groups:
builtins.foldl' ( builtins.foldl' (acc: secret: acc // { "${secret}".publicKeys = groups ++ nounous; }) { } paths;
acc: secret: acc // { "secrets/${secret}.age".publicKeys = groups ++ nounous; }
) { } paths; # Secrets
commonSecrets = (listFilesRelative ./secrets/common) ++ [
"./secrets/restic/client_env"
];
acmeSecrets = listFilesRelative ./secrets/acme;
in in
(genAttrs commonSecrets (remove apprentix all)) # Secrets communs à toutes les machines (sauf apprentix)
(genAttrs commonSecrets (lists.remove hosts.apprentix all))
# Secrets pour ACME
// (genAttrs acmeSecrets acme) // (genAttrs acmeSecrets acme)
# Secrets pour restic
// builtins.foldl' ( // builtins.foldl' (
acc: name: acc: name:
acc acc
@ -104,19 +83,23 @@ in
in in
genAttrs genAttrs
[ [
"restic/${name}/base-repo" "./secrets/restic/${name}/base-repo"
"restic/${name}/base-password" "./secrets/restic/${name}/base-password"
] ]
[ key ] [ key ]
) )
) { } (remove "thot" hostnames) ) { } (lists.remove "thot" hostnames)
// builtins.mapAttrs (name: value: { publicKeys = value.publicKeys ++ nounous; }) { // attrsets.foldlAttrs (
"secrets/apprentix/root.age".publicKeys = [ apprentix ]; outacc: host: key:
"secrets/common/root.age".publicKeys = remove apprentix all; let
"secrets/neo/appservice_irc_db_env.age".publicKeys = [ neo ]; secrets = listFilesRelative (path.append ./secrets host);
"secrets/neo/coturn_auth_secret.age".publicKeys = [ neo ]; in
"secrets/neo/database_extra_config.age".publicKeys = [ neo ]; outacc
"secrets/neo/note_oidc_extra_config.age".publicKeys = [ neo ]; // builtins.foldl' (
"secrets/neo/ldap_synapse_password.age".publicKeys = [ neo ]; acc: secret:
"secrets/vaultwarden/env.age".publicKeys = [ vaultwarden ]; acc
} // {
"${secret}".publicKeys = [ key ] ++ nounous;
}
) { } secrets
) { } hosts

0
secrets/acme/.gitkeep 100644
View File

0
secrets/apprentix/.gitkeep 100644
View File

0
secrets/cephiroth/.gitkeep 100644
View File

0
secrets/common/.gitkeep 100644
View File

0
secrets/jitsi/.gitkeep 100644
View File

0
secrets/livre/.gitkeep 100644
View File

0
secrets/neo/.gitkeep 100644
View File

0
secrets/redite/.gitkeep 100644
View File

0
secrets/restic/.gitkeep 100644
View File

0
secrets/thot/.gitkeep 100644
View File

0
secrets/two/.gitkeep 100644
View File

0
secrets/vaultwarden/.gitkeep 100644
View File