cleanup more nix code

2024-04-13 16:06:35 +02:00 · 2024-04-13 16:06:35 +02:00 · 6b9fffb022
commit 6b9fffb022
parent 3b7c72f326
54 changed files with 49 additions and 96 deletions
--- a/secrets/README.md
+++ b/secrets/README.md
@ -0,0 +1,5 @@
+To create a secret:
+
+```bash
+nix run github:ryantm/agenix# -- -e secret.age
+``
--- a/secrets/borg_passphrase.age
+++ b/secrets/borg_passphrase.age
@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 UwNSRQ Lr6HfHB1pQVAVESUkR1a1ie8o9cTtCa0LA4y20UvfRU
+8X+VZUfk2oRrM+A4pZC/6yyexo2Kr8MO7isiXPsnOJk
+-> ssh-ed25519 JJ7S4A fngT1OkV0pfig7UZ4vA8CWFDWc//xn2KWRsk1+EI0Ac
+9J+I87tFasCug4rVaXJKNKzxr450YtZUypSTmwf/r7g
+-> ssh-ed25519 aqswPA I/RtBp+6CgMOPs41nbd8CqBgpgch8ixRGbzacXSDKRE
+adBD/lskyXK/QU+v/OlQ1wQK7PkhALpdxgHUc1i+jcU
+-> ssh-ed25519 LAPUww JtDnT4+NqLMBc+LpQSh0eQnSyXzJOHHbaZFNQmxIdC0
+/DjWq9XUAH3xZvU1PlB7Q70LQ0x9SRMmaSYQ+DyQZEM
+-> ssh-ed25519 vBZj5g 4YBFh5e32ZHr8byvd4vbZ9zljHO4FTrJGhsZiH//KVw
+iA+foYHtgt2PjBG9yfBWNLeygiIbW3MsbUQdVWgyrno
+-> ssh-ed25519 QP0PgA urlidySF5ZG9ILjdPuJPX6V/aDIAYzwBVd+XopDF5UA
+NL/RxiKPRn+uZW37jJKLOHCaktuvzm0SIwcMmBgF5CY
+--- aeaUWpBxSTjrcDDQa6Zk2dcdvhsdqs22JlvkduILpqE
+âå™§òQú²à¡)Š„Åçä¿7bt¡íu+Õ<>=¼¯M£ÁlìMúzsÕÚ8ð…	aÿ
--- a/secrets/borgbase.pem.age
+++ b/secrets/borgbase.pem.age
--- a/secrets/database_passwords.env.age
+++ b/secrets/database_passwords.env.age
@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 UwNSRQ XKuX/onJklTJ1ws0svIwJy1PZN1MHsf5+N3z7XGvCyY
+JkyemSdV/ZcbjWLrwYLhKCE4Ln2seLR0WyYXGMepgBw
+-> ssh-ed25519 JJ7S4A 9wzkTABOPcmTG7LNWvZa7dKG0Ingf+KDckZ1tL2c3QQ
+IkxcStI4kwXkWj+j3PWl7FdyoVMVsiH9SZBnyffbcYQ
+-> ssh-ed25519 aqswPA 3i/v1qWLseD+FrPrnAXtSoK98a6Nrb3XrHinp2QPTn0
+RxuPM1oICEoF5oZAyQlCm+fOivI9sfZenZSlOGBIZK8
+-> ssh-ed25519 LAPUww MkvAMN/fZiV66+ub4Q/CDTIxJ3N3cMWBT0SQajespR0
+uh6SGtxR3BvsU/fTTTOnsNXD+bHNYMhTAFoc3QUtMr8
+-> ssh-ed25519 vBZj5g Jiu1sEmlws4eFPriuL2oS99Q9tFCyf4Zkv/khLONvT0
+cLLHcvmIb1Nb7eVmKJyYdvfulgbcZ73N0x6GWyKeJPs
+-> ssh-ed25519 QP0PgA A1Raf1CiVJ5tnJXRIeS0VpCUNX/iYNzGozQxApY9KGM
+998c6IZfPNW8uMttkK8xGp1hgKXBcrwuBOgOpXWPCu8
+--- /Qv6sfhphlYb9WtWdmPt6RZJPHxBO4jCSgauazsHIt8
+1kYiL7¸<37>Áª-Ç}—`ýŠƒÇNƒV‹oäCñ'ÞÛ§ýhßô[øvDŠU€pv×½¶Òõ¦~e‰Â0yœ¦ÿ—ÑÄ2`•Ý<E280A2>ºîÆ±ŽïÑ¥ÂÔåú8›/´ª	¸
+÷MEÐŽh·sÈqÌâ¤|ßkØªí<Ó°¡+ÊÍ9eË0óŸ‘¸;)Ï?IL-ëÓJY¾gðpk+Ûí’úˆHRûé5ÔÍÉÛ¥ú”§„Ø×på :8·ùo©þ1¥zâs—`•_MSÒí«Q˜;Q_o]·
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,36 @@
+let
+  pkgs = import <nixpkgs> { };
+  lib = pkgs.lib;
+
+  publicKeyURLs = [
+    "https://github.com/pizzapim.keys"
+    "https://github.com/pizzaniels.keys"
+  ];
+
+  encryptedFileNames = [
+    "database_passwords.env.age"
+    "borg_passphrase.age"
+    "borgbase.pem.age"
+  ];
+
+  machinePublicKeys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a jefke"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ1OGe8jLyc+72SFUnW4FOKbpqHs7Mym85ESBN4HWV7 atlas"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5lZjsqS6C50WO8p08TY7Fg8rqQH04EkpDTxCRGtR7a lewis"
+  ];
+
+  fetchPublicKeys = url:
+    let
+      publicKeysFile = builtins.fetchurl { inherit url; };
+      publicKeysFileContents = lib.strings.fileContents publicKeysFile;
+    in
+    lib.strings.splitString "\n" publicKeysFileContents;
+
+  adminPublicKeys = lib.flatten (builtins.map fetchPublicKeys publicKeyURLs);
+
+  allPublicKeys = lib.flatten [ machinePublicKeys adminPublicKeys ];
+
+  publicKeysForEncryptedFileName = encryptedFileName:
+    { "${encryptedFileName}".publicKeys = allPublicKeys; };
+in
+lib.attrsets.mergeAttrsList (builtins.map publicKeysForEncryptedFileName encryptedFileNames)