2024-12-11 13:26:38 +01:00
|
|
|
let
|
|
|
|
pkgs = import <nixpkgs> { system = builtins.currentSystem; };
|
|
|
|
inherit (pkgs.lib.attrsets) concatMapAttrs;
|
|
|
|
|
|
|
|
##############################################################################
|
|
|
|
## Contributor personal keys
|
|
|
|
##
|
|
|
|
## All the contributors in this list WILL be able to decrypt ALL the encrypted
|
|
|
|
## `.age` files.
|
|
|
|
|
|
|
|
contributors = [
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY niols@wallace"
|
|
|
|
];
|
|
|
|
|
|
|
|
##############################################################################
|
|
|
|
## System host keys
|
|
|
|
##
|
|
|
|
## Machines in this list MAY be mentioned later on as able to decrypt some of
|
|
|
|
## the encrypted `.age` files.
|
|
|
|
|
2024-12-11 13:27:37 +01:00
|
|
|
vm02116 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr";
|
2024-12-11 13:26:38 +01:00
|
|
|
vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM";
|
|
|
|
vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW";
|
|
|
|
|
|
|
|
##############################################################################
|
|
|
|
|
|
|
|
in
|
|
|
|
concatMapAttrs
|
|
|
|
(name: keys: {
|
|
|
|
"${name}.age".publicKeys = contributors ++ keys;
|
|
|
|
})
|
|
|
|
|
|
|
|
##############################################################################
|
|
|
|
## File name <-> system host keys mapping
|
|
|
|
##
|
|
|
|
## This attribute set defines precisely which secrets exist and which systems
|
|
|
|
## are able to decrypt them.
|
|
|
|
|
|
|
|
{
|
2024-12-11 13:27:37 +01:00
|
|
|
forgejo-database-password = [ vm02116 ];
|
|
|
|
forgejo-email-password = [ vm02116 ];
|
2024-12-11 13:26:38 +01:00
|
|
|
forgejo-runner-token = [
|
|
|
|
vm02179
|
|
|
|
vm02186
|
|
|
|
];
|
|
|
|
}
|