Simplification de secrets.nix

secrets.nix

@@ -1,4 +1,11 @@
 let
+  inherit (import <nixpkgs> { }) lib;
+  inherit (lib)
+    attrsets
+    filesystem
+    lists
+    path
+    ;
 
   # Nounous
   aeltheos_0 = "age1yubikey1qvn7t9hplvnr2w8nsfezfqudz8gq3v8sq99dkdpzmm4a74rng5qgz4v6wzt";
@@ -21,6 +28,7 @@ let
 
   # Machines
 
+  hosts = {
     apprentix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCJV6jqQWEYuwi+OJ9r/4TbBN/cK9NvYWNiJhpFzcc7 root@apprentix";
     cephiroth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOsBGkhiu6l3jeo15cQHMu3dPyL025zXPV2ZH02EDYEt root@nixos";
     jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6jVMIZ5y2oXX9HOkw7r5UUjw95MlFaFuu7FnEC0Q8z root@jitsi";
@@ -30,71 +38,42 @@ let
     thot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKNg1b8ft1L55+joXQ/7Dt2QTOdkea8opTEnq4xrhPU root@thot";
     two = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpaGf8A+XWXBdNrs69RiC0qPbjPHdtkl31OjxrktmF6 root@nixos";
     vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICn6vfDlsZVU6TEWg9vTgq9+Fp3irHjytBTky7A4ErRM root@vaultwarden";
-
-  hosts = {
-    inherit
-      apprentix
-      cephiroth
-      jitsi
-      livre
-      neo
-      redite
-      thot
-      two
-      vaultwarden
-      ;
   };
 
-  hostnames = [
-    "apprentix"
-    "cephiroth"
-    "jitsi"
-    "livre"
-    "neo"
-    "redite"
-    "thot"
-    "two"
-    "vaultwarden"
-  ];
+  hostnames = attrsets.mapAttrsToList (host: _: host) hosts;
 
   # Groupes
 
-  all = [
-    apprentix
-    cephiroth
-    jitsi
-    livre
-    neo
-    thot
-    two
-    vaultwarden
-  ];
+  all = attrsets.mapAttrsToList (_: key: key) hosts;
 
   acme = [
-    jitsi
-    neo
+    hosts.jitsi
+    hosts.neo
   ];
 
-  # Secrets
-
-  commonSecrets = [ "restic/client_env" ];
-
-  acmeSecrets = [ "acme/env" ];
-
   # Fonctions utilitaires
 
-  remove = el: list: builtins.filter (x: el != x) list;
+  listFilesRelative = dir: map (p: path.removePrefix ./. p) (filesystem.listFilesRecursive dir);
 
   genAttrs =
     paths: groups:
-    builtins.foldl' (
-      acc: secret: acc // { "secrets/${secret}.age".publicKeys = groups ++ nounous; }
-    ) { } paths;
+    builtins.foldl' (acc: secret: acc // { "${secret}".publicKeys = groups ++ nounous; }) { } paths;
+
+  # Secrets
+
+  commonSecrets = (listFilesRelative ./secrets/common) ++ [
+    "./secrets/restic/client_env"
+  ];
+
+  acmeSecrets = listFilesRelative ./secrets/acme;
 
 in
 
-(genAttrs commonSecrets (remove apprentix all))
+# Secrets communs à toutes les machines (sauf apprentix)
+(genAttrs commonSecrets (lists.remove hosts.apprentix all))
+# Secrets pour ACME
 // (genAttrs acmeSecrets acme)
+# Secrets pour restic
 // builtins.foldl' (
   acc: name:
   acc
@@ -104,19 +83,23 @@ in
     in
     genAttrs
       [
-        "restic/${name}/base-repo"
-        "restic/${name}/base-password"
+        "./secrets/restic/${name}/base-repo"
+        "./secrets/restic/${name}/base-password"
       ]
       [ key ]
   )
-) { } (remove "thot" hostnames)
-// builtins.mapAttrs (name: value: { publicKeys = value.publicKeys ++ nounous; }) {
-  "secrets/apprentix/root.age".publicKeys = [ apprentix ];
-  "secrets/common/root.age".publicKeys = remove apprentix all;
-  "secrets/neo/appservice_irc_db_env.age".publicKeys = [ neo ];
-  "secrets/neo/coturn_auth_secret.age".publicKeys = [ neo ];
-  "secrets/neo/database_extra_config.age".publicKeys = [ neo ];
-  "secrets/neo/note_oidc_extra_config.age".publicKeys = [ neo ];
-  "secrets/neo/ldap_synapse_password.age".publicKeys = [ neo ];
-  "secrets/vaultwarden/env.age".publicKeys = [ vaultwarden ];
-}
+) { } (lists.remove "thot" hostnames)
+// attrsets.foldlAttrs (
+  outacc: host: key:
+  let
+    secrets = listFilesRelative (path.append ./secrets host);
+  in
+  outacc
+  // builtins.foldl' (
+    acc: secret:
+    acc
+    // {
+      "${secret}".publicKeys = [ key ] ++ nounous;
+    }
+  ) { } secrets
+) { } hosts