Fediversity/secrets/secrets.nix

44 lines
1.3 KiB
Nix
Raw Normal View History

2024-12-11 13:26:38 +01:00
let
pkgs = import <nixpkgs> { system = builtins.currentSystem; };
inherit (pkgs.lib.attrsets) concatMapAttrs;
##############################################################################
## Contributor personal keys
##
## All the contributors in this list WILL be able to decrypt ALL the encrypted
## `.age` files.
contributors = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY niols@wallace"
];
##############################################################################
## System host keys
##
## Machines in this list MAY be mentioned later on as able to decrypt some of
## the encrypted `.age` files.
vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM";
vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW";
##############################################################################
in
concatMapAttrs
(name: keys: {
"${name}.age".publicKeys = contributors ++ keys;
})
##############################################################################
## File name <-> system host keys mapping
##
## This attribute set defines precisely which secrets exist and which systems
## are able to decrypt them.
{
forgejo-runner-token = [
vm02179
vm02186
];
}