Keys in separate files in own directory

README.md

@@ -15,6 +15,9 @@ details as to what they are for. As an overview:
 - [`infra/`](./infra) contains the configurations for the various VMs that are
   in production for the project, for instance the Git instances or the Wiki.
 
+- [`keys/`](./keys) contains the public keys of the contributors to this project
+  as well as the systems that we administrate.
+
 - [`matrix/`](./matrix) contains everything having to do with setting up a
   fully-featured Matrix server.
 

flake.nix

@@ -48,6 +48,7 @@
               optin = [
                 "deployment"
                 "infra"
+                "keys"
                 "secrets"
                 "services"
               ];

keys/contributors/niols

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY niols@wallace

keys/default.nix

@@ -0,0 +1,16 @@
+let
+  inherit (builtins)
+    elemAt
+    mapAttrs
+    match
+    readDir
+    readFile
+    ;
+  removeTrailingWhitespace = s: elemAt (match "(.*[^[:space:]])[[:space:]]*" s) 0;
+  collectKeys =
+    dir: mapAttrs (name: _: removeTrailingWhitespace (readFile (dir + "/${name}"))) (readDir dir);
+in
+{
+  contributors = collectKeys ./contributors;
+  systems = collectKeys ./systems;
+}

keys/systems/vm02116

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr

keys/systems/vm02179

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM

keys/systems/vm02186

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW

secrets/secrets.nix

@@ -1,46 +1,32 @@
 let
   pkgs = import <nixpkgs> { system = builtins.currentSystem; };
+  inherit (builtins) attrValues;
   inherit (pkgs.lib.attrsets) concatMapAttrs;
 
-  ##############################################################################
+  keys = import ../keys;
-  ## Contributor personal keys
+  contributors = attrValues keys.contributors;
-  ##
-  ## All the contributors in this list WILL be able to decrypt ALL the encrypted
-  ## `.age` files.
-
-  contributors = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY niols@wallace"
-  ];
-
-  ##############################################################################
-  ## System host keys
-  ##
-  ## Machines in this list MAY be mentioned later on as able to decrypt some of
-  ## the encrypted `.age` files.
-
-  vm02116 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr";
-  vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM";
-  vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW";
-
-  ##############################################################################
-
 in
+
 concatMapAttrs
-  (name: keys: {
+  (name: systems: {
-    "${name}.age".publicKeys = contributors ++ keys;
+    "${name}.age".publicKeys = contributors ++ systems;
   })
 
-  ##############################################################################
+  (
-  ## File name <-> system host keys mapping
+    with keys.systems;
-  ##
-  ## This attribute set defines precisely which secrets exist and which systems
-  ## are able to decrypt them.
 
-  {
+    ##############################################################################
-    forgejo-database-password = [ vm02116 ];
+    ## File name <-> system host keys mapping
-    forgejo-email-password = [ vm02116 ];
+    ##
-    forgejo-runner-token = [
+    ## This attribute set defines precisely which secrets exist and which systems
-      vm02179
+    ## are able to decrypt them.
-      vm02186
+
-    ];
+    {
-  }
+      forgejo-database-password = [ vm02116 ];
+      forgejo-email-password = [ vm02116 ];
+      forgejo-runner-token = [
+        vm02179
+        vm02186
+      ];
+    }
+  )