NixOS deployment for LinuxLab
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

78 lines
2.0 KiB

1 week ago
  1. { lib
  2. , runCommandNoCCLocal
  3. , writeText
  4. , ssh-to-age
  5. , machines
  6. , ...
  7. }:
  8. with lib;
  9. let
  10. admins = {
  11. "fooker" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ";
  12. };
  13. hosts = {
  14. "nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMW2Ouwep/O0ULtPC8aHx+s9oB8RDJis02u9wYnJe7My";
  15. "ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeRJF8IwyYAe4T4x7+n6ufO6lmOTu6PgPdmHiPRfCqI";
  16. "installer" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrc58WlxYKaPNO1J8j8KQxOLJooc9fIxp6gZZoB4Y7o";
  17. };
  18. sshToAge = ssh-key:
  19. let
  20. key = runCommandNoCCLocal "hostkey-to-age" { } ''
  21. ${ssh-to-age}/bin/ssh-to-age < '${writeText "" ssh-key}' > "$out"
  22. '';
  23. in
  24. pipe key [
  25. readFile
  26. (removeSuffix "\n")
  27. ];
  28. # Keys for each machine
  29. machine-keys = genAttrs machines (machine:
  30. let
  31. ssh-key = assert assertMsg (hasAttr machine hosts) ''
  32. SSH host key is not specified for machine '${machine}'.
  33. Make sure the SSH host key is added to `sops-config.nix` after initial provisioning.
  34. After changing the hosts, make sure to run `sops updatekeys` with all relevant secret files.
  35. '';
  36. getAttr machine hosts;
  37. in
  38. sshToAge ssh-key);
  39. # Keys for all admins
  40. admin-keys = mapAttrsToList
  41. (_: sshToAge)
  42. admins;
  43. mkRule = path: keys: {
  44. "path_regex" = "^${if path == null then "" else "${escapeRegex path}/"}(${escapeRegex "secrets.yaml"}|secrets/.+)$";
  45. "key_groups" = [{
  46. "age" = keys;
  47. }];
  48. };
  49. # Create a rule for each machine allowing the mechanie and all admins
  50. machine-rules = map
  51. (machine: mkRule
  52. "machines/${machine}"
  53. (admin-keys ++ (singleton machine-keys.${machine})))
  54. machines;
  55. # A single global rule allowing all machines and all admins to access
  56. global-rules = singleton (mkRule null (admin-keys ++ (attrValues machine-keys)));
  57. in
  58. {
  59. inherit admin-keys;
  60. config = {
  61. "creation_rules" = concatLists [
  62. machine-rules
  63. global-rules
  64. ];
  65. };
  66. }