diff --git a/flake.nix b/flake.nix index 6c4f9c2..f7251cc 100644 --- a/flake.nix +++ b/flake.nix @@ -27,7 +27,9 @@ ./deployment/flake-part.nix ./infra/flake-part.nix + ./keys/flake-part.nix ./services/flake-part.nix + ./secrets/flake-part.nix ]; perSystem = diff --git a/keys/flake-part.nix b/keys/flake-part.nix new file mode 100644 index 0000000..7e01c8f --- /dev/null +++ b/keys/flake-part.nix @@ -0,0 +1,3 @@ +{ + flake.keys = import ./.; +} diff --git a/secrets/flake-part.nix b/secrets/flake-part.nix new file mode 100644 index 0000000..9f9b7f4 --- /dev/null +++ b/secrets/flake-part.nix @@ -0,0 +1,36 @@ +{ + inputs, + lib, + ... +}: + +let + inherit (builtins) elem; + inherit (lib.attrsets) concatMapAttrs filterAttrs; + inherit (lib.strings) removeSuffix; + + secrets = import ./secrets.nix; +in +{ + flake = { + inherit secrets; + + nixosModules.ageSecrets = ( + { config, ... }: + { + imports = [ inputs.agenix.nixosModules.default ]; + + options.x_fediversity.hostPublicKey = lib.mkOption { + description = '' + The host public key of the machine. It is used in particular + to filter Age secrets and only keep the relevant ones. + ''; + }; + + config.age.secrets = concatMapAttrs (name: _: { + ${removeSuffix ".age" name}.file = ./. + "/${name}"; + }) (filterAttrs (_: secret: elem config.x_fediversity.hostPublicKey secret.publicKeys) secrets); + } + ); + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2190481..5a2bde8 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,7 +1,9 @@ let - pkgs = import { system = builtins.currentSystem; }; - inherit (builtins) attrValues; - inherit (pkgs.lib.attrsets) concatMapAttrs; + inherit (builtins) attrValues foldl' mapAttrs; + ## `mergeAttrs` and `concatMapAttrs` are in `lib.trivial` and `lib.attrsets`, + ## but we would rather avoid a dependency in nixpkgs for this file. + mergeAttrs = x: y: x // y; + concatMapAttrs = f: v: foldl' mergeAttrs { } (attrValues (mapAttrs f v)); keys = import ../keys; contributors = attrValues keys.contributors;