dots/secrets/default.nix

62 lines
1.6 KiB
Nix
Raw Normal View History

2024-04-19 22:27:46 -05:00
{
2024-05-03 14:35:00 -05:00
agenix ? false,
2024-04-19 22:27:46 -05:00
lib ? import ../lib { },
}:
let
2024-05-03 14:35:00 -05:00
masterKeys = [
"age1yubikey1qfnj0k4mkzrn8ef5llwh2sv6hd7ckr0qml3n9hzdpz9c59ypvryhyst87k0"
"age1ur2lr3z6d2eftgxcalc6s5x9840ew9x43upl9k23wg0ugacrn5as4zl6sj"
];
2024-05-03 14:35:00 -05:00
hosts = {
luna =
let
secrets = "hosts/luna";
in
{
users-root-pw = "${secrets}/users-root-pw.age";
users-price-pw = "${secrets}/users-price-pw.age";
gitea-db-pass = "${secrets}/gitea-db-pass.age";
gitea-runner-token = "${secrets}/gitea-runner-token.age";
gh-ts-autotag-runner-token = "${secrets}/gh-ts-autotag-runner-token.age";
2024-05-03 14:35:00 -05:00
};
orion =
let
secrets = "hosts/orion";
in
{
users-root-pw = "${secrets}/users-root-pw.age";
users-price-pw = "${secrets}/users-price-pw.age";
};
};
2024-04-19 22:27:46 -05:00
in
if agenix then
(builtins.listToAttrs (
2024-05-03 14:35:00 -05:00
builtins.concatMap (
host:
let
hostSecrets = (builtins.getAttr host hosts);
in
(builtins.map (
hostSecretName:
let
secret = (builtins.getAttr hostSecretName hostSecrets);
in
{
name = builtins.toString secret;
value = {
publicKeys = [ (import ./../hosts/${host}/pubkey.nix) ] ++ masterKeys;
};
}
) (builtins.attrNames hostSecrets))
) (builtins.attrNames hosts)
2024-04-19 22:27:46 -05:00
))
else
2024-05-03 14:35:00 -05:00
(builtins.mapAttrs (
host: secrets:
(lib.recursiveMerge (
builtins.map (secretName: { age.secrets.${secretName}.file = ./${secrets.${secretName}}; }) (
builtins.attrNames hosts.${host}
)
))
) hosts)