NixOS deployment for LinuxLab
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
{ lib , runCommandNoCCLocal , writeText , ssh-to-age , machines , ... }:
with lib;
let admins = { "fooker" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ"; };
hosts = { "nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENsd6EdgIn5jhqXUEyPckoViHLLsYM2on/liwf1IO8p"; "ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhkh5L4jYl/i4E+lBVDppHcoiohR/gDricyV2wY/3Np"; "installer" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrc58WlxYKaPNO1J8j8KQxOLJooc9fIxp6gZZoB4Y7o"; };
sshToAge = ssh-key: let key = runCommandNoCCLocal "hostkey-to-age" { } ''
${ssh-to-age}/bin/ssh-to-age < '${writeText "" ssh-key}' > "$out" '';
in pipe key [ readFile (removeSuffix "\n") ];
# Keys for each machine machine-keys = genAttrs machines (machine: let ssh-key = assert assertMsg (hasAttr machine hosts) ''
SSH host key is not specified for machine '${machine}'.
Make sure the SSH host key is added to `sops-config.nix` after initial provisioning. After changing the hosts, make sure to run `sops updatekeys` with all relevant secret files. '';
getAttr machine hosts; in sshToAge ssh-key);
# Keys for all admins admin-keys = mapAttrsToList (_: sshToAge) admins;
mkRule = path: keys: { "path_regex" = "^${if path == null then "" else "${escapeRegex path}/"}(${escapeRegex "secrets.yaml"}|secrets/.+)$"; "key_groups" = [{ "age" = keys; }]; };
# Create a rule for each machine allowing the mechanie and all admins machine-rules = map (machine: mkRule "machines/${machine}" (admin-keys ++ (singleton machine-keys.${machine}))) machines;
# A single global rule allowing all machines and all admins to access global-rules = singleton (mkRule null (admin-keys ++ (attrValues machine-keys)));
in { inherit admin-keys;
config = { "creation_rules" = concatLists [ machine-rules global-rules ]; }; }
|