You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
78 lines
2.0 KiB
78 lines
2.0 KiB
{ lib
|
|
, runCommandNoCCLocal
|
|
, writeText
|
|
, ssh-to-age
|
|
, machines
|
|
, ...
|
|
}:
|
|
|
|
with lib;
|
|
|
|
let
|
|
admins = {
|
|
"fooker" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ";
|
|
};
|
|
|
|
hosts = {
|
|
"nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMA+Q4wLe0AuZ8OC5BKJLrvmpKcy+6a8Iez9hCSVgtX8";
|
|
"ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhkh5L4jYl/i4E+lBVDppHcoiohR/gDricyV2wY/3Np";
|
|
"installer" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrc58WlxYKaPNO1J8j8KQxOLJooc9fIxp6gZZoB4Y7o";
|
|
};
|
|
|
|
sshToAge = ssh-key:
|
|
let
|
|
key = runCommandNoCCLocal "hostkey-to-age" { } ''
|
|
${ssh-to-age}/bin/ssh-to-age < '${writeText "" ssh-key}' > "$out"
|
|
'';
|
|
in
|
|
pipe key [
|
|
readFile
|
|
(removeSuffix "\n")
|
|
];
|
|
|
|
# Keys for each machine
|
|
machine-keys = genAttrs machines (machine:
|
|
let
|
|
ssh-key = assert assertMsg (hasAttr machine hosts) ''
|
|
SSH host key is not specified for machine '${machine}'.
|
|
|
|
Make sure the SSH host key is added to `sops-config.nix` after initial provisioning.
|
|
After changing the hosts, make sure to run `sops updatekeys` with all relevant secret files.
|
|
'';
|
|
getAttr machine hosts;
|
|
in
|
|
sshToAge ssh-key);
|
|
|
|
# Keys for all admins
|
|
admin-keys = mapAttrsToList
|
|
(_: sshToAge)
|
|
admins;
|
|
|
|
mkRule = path: keys: {
|
|
"path_regex" = "^${if path == null then "" else "${escapeRegex path}/"}(${escapeRegex "secrets.yaml"}|secrets/.+)$";
|
|
"key_groups" = [{
|
|
"age" = keys;
|
|
}];
|
|
};
|
|
|
|
# Create a rule for each machine allowing the mechanie and all admins
|
|
machine-rules = map
|
|
(machine: mkRule
|
|
"machines/${machine}"
|
|
(admin-keys ++ (singleton machine-keys.${machine})))
|
|
machines;
|
|
|
|
# A single global rule allowing all machines and all admins to access
|
|
global-rules = singleton (mkRule null (admin-keys ++ (attrValues machine-keys)));
|
|
|
|
in
|
|
{
|
|
inherit admin-keys;
|
|
|
|
config = {
|
|
"creation_rules" = concatLists [
|
|
machine-rules
|
|
global-rules
|
|
];
|
|
};
|
|
}
|