Fediversity/secrets/secrets.nix

47 lines
1.5 KiB
Nix
Raw Normal View History

2024-12-11 13:26:38 +01:00
let
pkgs = import <nixpkgs> { system = builtins.currentSystem; };
inherit (pkgs.lib.attrsets) concatMapAttrs;
##############################################################################
## Contributor personal keys
##
## All the contributors in this list WILL be able to decrypt ALL the encrypted
## `.age` files.
contributors = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY niols@wallace"
];
##############################################################################
## System host keys
##
## Machines in this list MAY be mentioned later on as able to decrypt some of
## the encrypted `.age` files.
2024-12-11 13:27:37 +01:00
vm02116 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr";
2024-12-11 13:26:38 +01:00
vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM";
vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW";
##############################################################################
in
concatMapAttrs
(name: keys: {
"${name}.age".publicKeys = contributors ++ keys;
})
##############################################################################
## File name <-> system host keys mapping
##
## This attribute set defines precisely which secrets exist and which systems
## are able to decrypt them.
{
2024-12-11 13:27:37 +01:00
forgejo-database-password = [ vm02116 ];
forgejo-email-password = [ vm02116 ];
2024-12-11 13:26:38 +01:00
forgejo-runner-token = [
vm02179
vm02186
];
}