hans/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Expose keys and secrets in the global flake

Browse source
This commit is contained in:
Nicolas Jeannerod 2024-12-12 11:05:11 +01:00
parent 7908affaab
commit 109284b98b
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
4 changed files with 46 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -27,7 +27,9 @@
./deployment/flake-part.nix
./infra/flake-part.nix
./keys/flake-part.nix
./services/flake-part.nix
./secrets/flake-part.nix
];
perSystem =

3
keys/flake-part.nix Normal file
View file

@ -0,0 +1,3 @@
{
flake.keys = import ./.;
}

36
secrets/flake-part.nix Normal file
View file

@ -0,0 +1,36 @@
{
inputs,
lib,
...
}:
let
inherit (builtins) elem;
inherit (lib.attrsets) concatMapAttrs filterAttrs;
inherit (lib.strings) removeSuffix;
secrets = import ./secrets.nix;
in
{
flake = {
inherit secrets;
nixosModules.ageSecrets = (
{ config, ... }:
{
imports = [ inputs.agenix.nixosModules.default ];
options.x_fediversity.hostPublicKey = lib.mkOption {
description = ''
The host public key of the machine. It is used in particular
to filter Age secrets and only keep the relevant ones.
'';
};
config.age.secrets = concatMapAttrs (name: _: {
${removeSuffix ".age" name}.file = ./. + "/${name}";
}) (filterAttrs (_: secret: elem config.x_fediversity.hostPublicKey secret.publicKeys) secrets);
}
);
};
}

8
secrets/secrets.nix
View file

@ -1,7 +1,9 @@
let
pkgs = import <nixpkgs> { system = builtins.currentSystem; };
inherit (builtins) attrValues;
inherit (pkgs.lib.attrsets) concatMapAttrs;
inherit (builtins) attrValues foldl' mapAttrs;
## `mergeAttrs` and `concatMapAttrs` are in `lib.trivial` and `lib.attrsets`,
## but we would rather avoid a dependency in nixpkgs for this file.
mergeAttrs = x: y: x // y;
concatMapAttrs = f: v: foldl' mergeAttrs { } (attrValues (mapAttrs f v));
keys = import ../keys;
contributors = attrValues keys.contributors;