NixOS deployment for LinuxLab
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
{ lib , runCommandNoCCLocal , writeText , ssh-to-age , machines , ... }:
with lib;
let admins = { "fooker" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ"; }; hosts = { "nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMW2Ouwep/O0ULtPC8aHx+s9oB8RDJis02u9wYnJe7My"; "ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeRJF8IwyYAe4T4x7+n6ufO6lmOTu6PgPdmHiPRfCqI"; "installer" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrc58WlxYKaPNO1J8j8KQxOLJooc9fIxp6gZZoB4Y7o"; };
sshToAge = ssh-key: let key = runCommandNoCCLocal "hostkey-to-age" { } ''
${ssh-to-age}/bin/ssh-to-age < '${writeText "" ssh-key}' > "$out" '';
in pipe key [ readFile (removeSuffix "\n") ];
# Keys for each machine machine-keys = genAttrs machines (machine: let ssh-key = assert assertMsg (hasAttr machine hosts) ''
SSH host key is not specified for machine '${machine}'.
Make sure the SSH host key is added to `sops-config.nix` after initial provisioning. After changing the hosts, make sure to run `sops updatekeys` with all relevant secret files. '';
getAttr machine hosts; in sshToAge ssh-key);
# Keys for all admins admin-keys = mapAttrsToList (_: sshToAge) admins;
mkRule = path: keys: { "path_regex" = "^${if path == null then "" else "${escapeRegex path}/"}(${escapeRegex "secrets.yaml"}|secrets/.+)$"; "key_groups" = [{ "age" = keys; }]; };
# Create a rule for each machine allowing the mechanie and all admins machine-rules = map (machine: mkRule "machines/${machine}" (admin-keys ++ (singleton machine-keys.${machine}))) machines;
# A single global rule allowing all machines and all admins to access global-rules = singleton (mkRule null (admin-keys ++ (attrValues machine-keys)));
in { inherit admin-keys;
config = { "creation_rules" = concatLists [ machine-rules global-rules ]; }; }
|