let pkgs = import { system = builtins.currentSystem; }; inherit (pkgs.lib.attrsets) concatMapAttrs; ############################################################################## ## Contributor personal keys ## ## All the contributors in this list WILL be able to decrypt ALL the encrypted ## `.age` files. contributors = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY niols@wallace" ]; ############################################################################## ## System host keys ## ## Machines in this list MAY be mentioned later on as able to decrypt some of ## the encrypted `.age` files. vm02116 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr"; vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM"; vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW"; ############################################################################## in concatMapAttrs (name: keys: { "${name}.age".publicKeys = contributors ++ keys; }) ############################################################################## ## File name <-> system host keys mapping ## ## This attribute set defines precisely which secrets exist and which systems ## are able to decrypt them. { forgejo-database-password = [ vm02116 ]; forgejo-email-password = [ vm02116 ]; forgejo-runner-token = [ vm02179 vm02186 ]; }