-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecrets.nix
49 lines (39 loc) · 1.39 KB
/
secrets.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
let lib = (builtins.getFlake "nixpkgs").lib;
in with lib;
let
meta = fromTOML (readFile ./meta.toml);
inherit (meta) users machines;
wheel = filterAttrs (_: user: elem "wheel" (user.groups or [ ])) users;
publicKeysFor = attrs:
pipe attrs [
attrValues
(map (attrByPath [ "ssh" "publicKeys" ] [ ]))
concatLists
];
mkSecret = { allow ? { }, ... }@args':
(removeAttrs args' [ "allow" ]) // {
publicKeys = (publicKeysFor (allow // wheel))
++ (args'.publicKeys or [ ]);
};
mkSecrets = args: paths: genAttrs paths (_: mkSecret args);
in
foldl recursiveUpdate { } [
(mkSecrets { allow = { inherit (machines) doko; }; } [
"machines/doko/.acme-credentials.age"
"machines/doko/.authelia-identity-provider-oidc-hmac-secret.age"
"machines/doko/.authelia-identity-provider-oidc-issuer-private-key.age"
"machines/doko/.authelia-jwt-secret.age"
"machines/doko/.authelia-notifier-smtp-password.age"
"machines/doko/.authelia-storage-encryption-key.age"
"machines/doko/.authelia-authentication-backend-password.age"
"machines/doko/.traefik-config.json.age"
"machines/doko/.lldap-jwt-secret.age"
])
(mkSecrets { allow = { inherit (machines) kuro; }; }
[ "machines/kado/.torrents-vpn-private-key.age" ])
(mkSecrets { allow = machines; } [
"users/root/passwd.age"
"users/jpas/passwd.age"
"users/kbell/passwd.age"
])
]