nixos-servers/secrets/secrets.nix
2024-04-13 16:06:35 +02:00

36 lines
1.1 KiB
Nix

let
pkgs = import <nixpkgs> { };
lib = pkgs.lib;
publicKeyURLs = [
"https://github.com/pizzapim.keys"
"https://github.com/pizzaniels.keys"
];
encryptedFileNames = [
"database_passwords.env.age"
"borg_passphrase.age"
"borgbase.pem.age"
];
machinePublicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a jefke"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ1OGe8jLyc+72SFUnW4FOKbpqHs7Mym85ESBN4HWV7 atlas"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5lZjsqS6C50WO8p08TY7Fg8rqQH04EkpDTxCRGtR7a lewis"
];
fetchPublicKeys = url:
let
publicKeysFile = builtins.fetchurl { inherit url; };
publicKeysFileContents = lib.strings.fileContents publicKeysFile;
in
lib.strings.splitString "\n" publicKeysFileContents;
adminPublicKeys = lib.flatten (builtins.map fetchPublicKeys publicKeyURLs);
allPublicKeys = lib.flatten [ machinePublicKeys adminPublicKeys ];
publicKeysForEncryptedFileName = encryptedFileName:
{ "${encryptedFileName}".publicKeys = allPublicKeys; };
in
lib.attrsets.mergeAttrsList (builtins.map publicKeysForEncryptedFileName encryptedFileNames)