forked from Fediversity/Fediversity
Cleaner resource definition
This commit is contained in:
parent
e0b4dd4d5b
commit
eaad4daa39
GPG key ID:
35DB9EC8886E1CB8
1 changed files with 31 additions and 34 deletions
|
|
@ -13,48 +13,45 @@ let
|
||||||
secretsPrefix = ../../secrets;
|
secretsPrefix = ../../secrets;
|
||||||
secrets = import (secretsPrefix + "/secrets.nix");
|
secrets = import (secretsPrefix + "/secrets.nix");
|
||||||
keys = import ../../keys;
|
keys = import ../../keys;
|
||||||
|
hostPublicKey = keys.systems.${config.procolixVm.name};
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [ ./options.nix ];
|
imports = [ ./options.nix ];
|
||||||
|
|
||||||
config =
|
ssh = {
|
||||||
let
|
host = config.procolixVm.host;
|
||||||
hostPublicKey = keys.systems.${config.procolixVm.name};
|
hostPublicKey = hostPublicKey;
|
||||||
|
};
|
||||||
|
|
||||||
in
|
nixpkgs = inputs.nixpkgs;
|
||||||
{
|
|
||||||
ssh = {
|
|
||||||
host = config.procolixVm.host;
|
|
||||||
hostPublicKey = hostPublicKey;
|
|
||||||
};
|
|
||||||
|
|
||||||
nixpkgs = inputs.nixpkgs;
|
## The configuration of the machine. We strive to keep in this file only the
|
||||||
|
## options that really need to be injected from the resource. Everything else
|
||||||
|
## should go into the `./nixos` subdirectory.
|
||||||
|
nixos.module = {
|
||||||
|
imports = [
|
||||||
|
inputs.agenix.nixosModules.default
|
||||||
|
./options.nix
|
||||||
|
./nixos
|
||||||
|
];
|
||||||
|
|
||||||
nixos.module = {
|
## Inject the shared options from the resource's `config` into the NixOS
|
||||||
imports = [
|
## configuration.
|
||||||
inputs.agenix.nixosModules.default
|
procolixVm = config.procolixVm;
|
||||||
./options.nix
|
|
||||||
./nixos
|
|
||||||
];
|
|
||||||
|
|
||||||
## Inject the shared options from the resource's `config` into the NixOS
|
## Read all the secrets, filter the ones that are supposed to be readable
|
||||||
## configuration.
|
## with this host's public key, and add them correctly to the configuration
|
||||||
procolixVm = config.procolixVm;
|
## as `age.secrets.<name>.file`.
|
||||||
|
age.secrets = concatMapAttrs (
|
||||||
|
name: secret:
|
||||||
|
optionalAttrs (elem hostPublicKey secret.publicKeys) ({
|
||||||
|
${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
|
||||||
|
})
|
||||||
|
) secrets;
|
||||||
|
|
||||||
## Read all the secrets, filter the ones that are supposed to be
|
## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
|
||||||
## readable with this host's public key, and add them correctly to the
|
## supports users with password-less sudo.
|
||||||
## configuration as `age.secrets.<name>.file`.
|
users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
|
||||||
age.secrets = concatMapAttrs (
|
};
|
||||||
name: secret:
|
|
||||||
optionalAttrs (elem hostPublicKey secret.publicKeys) ({
|
|
||||||
${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
|
|
||||||
})
|
|
||||||
) secrets;
|
|
||||||
|
|
||||||
## FIXME: Remove direct root authentication once the NixOps4 NixOS
|
|
||||||
## provider supports users with password-less sudo.
|
|
||||||
users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue