NixOS deployment for LinuxLab
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

78 lines
2.0 KiB

{ lib
, runCommandNoCCLocal
, writeText
, ssh-to-age
, machines
, ...
}:
with lib;
let
admins = {
"fooker" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ";
};
hosts = {
"nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMA+Q4wLe0AuZ8OC5BKJLrvmpKcy+6a8Iez9hCSVgtX8";
"ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhkh5L4jYl/i4E+lBVDppHcoiohR/gDricyV2wY/3Np";
"installer" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrc58WlxYKaPNO1J8j8KQxOLJooc9fIxp6gZZoB4Y7o";
};
sshToAge = ssh-key:
let
key = runCommandNoCCLocal "hostkey-to-age" { } ''
${ssh-to-age}/bin/ssh-to-age < '${writeText "" ssh-key}' > "$out"
'';
in
pipe key [
readFile
(removeSuffix "\n")
];
# Keys for each machine
machine-keys = genAttrs machines (machine:
let
ssh-key = assert assertMsg (hasAttr machine hosts) ''
SSH host key is not specified for machine '${machine}'.
Make sure the SSH host key is added to `sops-config.nix` after initial provisioning.
After changing the hosts, make sure to run `sops updatekeys` with all relevant secret files.
'';
getAttr machine hosts;
in
sshToAge ssh-key);
# Keys for all admins
admin-keys = mapAttrsToList
(_: sshToAge)
admins;
mkRule = path: keys: {
"path_regex" = "^${if path == null then "" else "${escapeRegex path}/"}(${escapeRegex "secrets.yaml"}|secrets/.+)$";
"key_groups" = [{
"age" = keys;
}];
};
# Create a rule for each machine allowing the mechanie and all admins
machine-rules = map
(machine: mkRule
"machines/${machine}"
(admin-keys ++ (singleton machine-keys.${machine})))
machines;
# A single global rule allowing all machines and all admins to access
global-rules = singleton (mkRule null (admin-keys ++ (attrValues machine-keys)));
in
{
inherit admin-keys;
config = {
"creation_rules" = concatLists [
machine-rules
global-rules
];
};
}