crans
/
nixos
mirror of https://gitlab.crans.org/nounous/nixos
19
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nixos/secrets.nix

108 lines
3.4 KiB
Nix
Raw Blame History

let
inherit (import <nixpkgs> { }) lib;
inherit (lib)
attrsets
filesystem
lists
path
;
# Nounous
aeltheos_0 = "age1yubikey1qvn7t9hplvnr2w8nsfezfqudz8gq3v8sq99dkdpzmm4a74rng5qgz4v6wzt";
aeltheos_1 = "age1yubikey1qwmt8heph3jg9sfva3yygphfw0nqed9hs8ndjsfw8yp86kwllearq9fylz2";
korenstin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIh26Ejn/syhvReixauY8i85+XD8P9RRJrPQGEyAQ07l klin@nixos";
lyes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHW62pK9A6E8pEwmSnTp6oKXac+bbOJ4VkPvNLa11No8 lyessaadi@crans.org";
lzebulon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJRSBsRgd/ITK2An7q1VXoeDPbcydR3FkQjHoO+1tAAO lzebulon@archframe";
pigeonmoelleux_0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHa+ptSTNG4mnGUEGSkHTNDzyUGeiMnaWS2nDvJwrYTp ratcornu@skryre";
pigeonmoelleux_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA41j5jdFj18OSHONx4QN9mMT+oBmtdwb1vstNavGOnz ratcornu@vrrtkin";
nounous = [
aeltheos_0
aeltheos_1
korenstin
lyes
lzebulon
pigeonmoelleux_0
pigeonmoelleux_1
];
# Machines
hosts = {
apprentix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCJV6jqQWEYuwi+OJ9r/4TbBN/cK9NvYWNiJhpFzcc7 root@apprentix";
cephiroth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOsBGkhiu6l3jeo15cQHMu3dPyL025zXPV2ZH02EDYEt root@nixos";
jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6jVMIZ5y2oXX9HOkw7r5UUjw95MlFaFuu7FnEC0Q8z root@jitsi";
livre = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVfKNokHG6ig32hhQxTep+fKFmKahlDClPrX/dP4/gb root@livre";
neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGfSvxqC2PJYRrxJaivVDujwlwCZ6AwH8hOSA9ktZ1V root@neo";
redite = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwfVmR3NjZf6qkDlTSiyo39Up5nSNUVW7jYDWXrY8Xr root@redite";
reverseproxy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDuXFrEEALXW1T9b7WB3xtUsIWaEHat9+QdaV24RUFhW root@crans-iso";
thot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKNg1b8ft1L55+joXQ/7Dt2QTOdkea8opTEnq4xrhPU root@thot";
two = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpaGf8A+XWXBdNrs69RiC0qPbjPHdtkl31OjxrktmF6 root@nixos";
vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICn6vfDlsZVU6TEWg9vTgq9+Fp3irHjytBTky7A4ErRM root@vaultwarden";
};
hostnames = attrsets.mapAttrsToList (host: _: host) hosts;
# Groupes
all = attrsets.mapAttrsToList (_: key: key) hosts;
acme = [
hosts.jitsi
hosts.neo
hosts.reverseproxy
];
# Fonctions utilitaires
listFilesRelative = dir: map (p: path.removePrefix ./. p) (filesystem.listFilesRecursive dir);
genAttrs =
paths: groups:
builtins.foldl' (acc: secret: acc // { "${secret}".publicKeys = groups ++ nounous; }) { } paths;
# Secrets
commonSecrets = (listFilesRelative ./secrets/common) ++ [
"./secrets/restic/client_env"
];
acmeSecrets = listFilesRelative ./secrets/acme;
in
# Secrets communs à toutes les machines (sauf apprentix)
(genAttrs commonSecrets (lists.remove hosts.apprentix all))
# Secrets pour ACME
// (genAttrs acmeSecrets acme)
# Secrets pour restic
// builtins.foldl' (
acc: name:
acc
// (
let
key = hosts.${name};
in
genAttrs
[
"./secrets/restic/${name}/base-repo"
"./secrets/restic/${name}/base-password"
]
[ key ]
)
) { } (lists.remove "thot" hostnames)
// attrsets.foldlAttrs (
outacc: host: key:
let
secrets = listFilesRelative (path.append ./secrets host);
in
outacc
// builtins.foldl' (
acc: secret:
acc
// {
"${secret}".publicKeys = [ key ] ++ nounous;
}
) { } secrets
) { } hosts
Reference in New Issue View Git Blame Copy Permalink