diff --git a/flake.nix b/flake.nix index 832fc4c0..484dd569 100644 --- a/flake.nix +++ b/flake.nix @@ -29,7 +29,6 @@ ./infra/flake-part.nix ./keys/flake-part.nix ./services/flake-part.nix - ./secrets/flake-part.nix ]; perSystem = diff --git a/infra/common/procolixResource.nix b/infra/common/procolixResource.nix index d0ef2bac..bfb00040 100644 --- a/infra/common/procolixResource.nix +++ b/infra/common/procolixResource.nix @@ -8,7 +8,9 @@ }: let - inherit (lib) attrValues mkOption; + inherit (lib) attrValues elem mkOption; + inherit (lib.attrsets) concatMapAttrs optionalAttrs; + inherit (lib.strings) removeSuffix; in { @@ -16,33 +18,50 @@ in procolixVm = { name = mkOption { }; host = mkOption { }; + + hostPublicKey = mkOption { + description = '' + The host public key of the machine. It is used in particular + to filter Age secrets and only keep the relevant ones. + ''; + }; }; }; - config = { - type = providers.local.exec; - - ssh = { - host = config.procolixVm.host; - opts = ""; + config = + let hostPublicKey = self.keys.systems.${config.procolixVm.name}; + + in + { + type = providers.local.exec; + + ssh = { + host = config.procolixVm.host; + hostPublicKey = hostPublicKey; + }; + + nixpkgs = inputs.nixpkgs; + + nixos.module = { + imports = [ + inputs.agenix.nixosModules.default + ./nixosConfiguration + ]; + + ## Read all the secrets, filter the ones that are supposed to be + ## readable with this host's public key, and add them correctly to the + ## configuration as `age.secrets..file`. + age.secrets = concatMapAttrs ( + name: secret: + optionalAttrs (elem hostPublicKey secret.publicKeys) ({ + ${removeSuffix ".age" name}.file = ../../secrets + "/${name}"; + }) + ) (import ../../secrets/secrets.nix); + + ## FIXME: Remove direct root authentication once the NixOps4 NixOS + ## provider supports users with password-less sudo. + users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors; + }; }; - - nixpkgs = inputs.nixpkgs; - - nixos.module = { - imports = [ - ./nixosConfiguration - - self.nixosModules.ageSecrets - ]; - - ## Necessary to filter Age secrets. - fediversity.hostPublicKey = self.keys.systems.${config.procolixVm.name}; - - ## FIXME: Remove direct root authentication once the NixOps4 NixOS - ## provider supports users with password-less sudo. - users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors; - }; - }; } diff --git a/secrets/flake-part.nix b/secrets/flake-part.nix deleted file mode 100644 index b2e1874d..00000000 --- a/secrets/flake-part.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - inputs, - lib, - ... -}: - -let - inherit (builtins) elem; - inherit (lib.attrsets) concatMapAttrs optionalAttrs; - inherit (lib.strings) removeSuffix; - - secrets = import ./secrets.nix; -in -{ - flake = { - inherit secrets; - - nixosModules.ageSecrets = ( - { config, ... }: - { - imports = [ inputs.agenix.nixosModules.default ]; - - options.fediversity.hostPublicKey = lib.mkOption { - description = '' - The host public key of the machine. It is used in particular - to filter Age secrets and only keep the relevant ones. - ''; - }; - - config.age.secrets = concatMapAttrs ( - name: secret: - optionalAttrs (elem config.fediversity.hostPublicKey secret.publicKeys) ({ - ${removeSuffix ".age" name}.file = ./. + "/${name}"; - }) - ) secrets; - } - ); - }; -}