Clean up handling of secrets in infra

2025-01-31 16:28:52 +01:00 · 2025-01-31 16:28:52 +01:00 · 564938e52d
commit 564938e52d
parent 8fa7bd4df5
3 changed files with 44 additions and 65 deletions
--- a/flake.nix
+++ b/flake.nix
@ -29,7 +29,6 @@
        ./infra/flake-part.nix
        ./keys/flake-part.nix
        ./services/flake-part.nix
-        ./secrets/flake-part.nix
      ];

      perSystem =
--- a/infra/common/procolixResource.nix
+++ b/infra/common/procolixResource.nix
@ -8,7 +8,9 @@
 }:

 let
-  inherit (lib) attrValues mkOption;
+  inherit (lib) attrValues elem mkOption;
+  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
+  inherit (lib.strings) removeSuffix;

 in
 {
@ -16,33 +18,50 @@ in
    procolixVm = {
      name = mkOption { };
      host = mkOption { };
+
+      hostPublicKey = mkOption {
+        description = ''
+          The host public key of the machine. It is used in particular
+          to filter Age secrets and only keep the relevant ones.
+        '';
+      };
    };
  };

-  config = {
-    type = providers.local.exec;
-
-    ssh = {
-      host = config.procolixVm.host;
-      opts = "";
+  config =
+    let
      hostPublicKey = self.keys.systems.${config.procolixVm.name};
+
+    in
+    {
+      type = providers.local.exec;
+
+      ssh = {
+        host = config.procolixVm.host;
+        hostPublicKey = hostPublicKey;
+      };
+
+      nixpkgs = inputs.nixpkgs;
+
+      nixos.module = {
+        imports = [
+          inputs.agenix.nixosModules.default
+          ./nixosConfiguration
+        ];
+
+        ## Read all the secrets, filter the ones that are supposed to be
+        ## readable with this host's public key, and add them correctly to the
+        ## configuration as `age.secrets.<name>.file`.
+        age.secrets = concatMapAttrs (
+          name: secret:
+          optionalAttrs (elem hostPublicKey secret.publicKeys) ({
+            ${removeSuffix ".age" name}.file = ../../secrets + "/${name}";
+          })
+        ) (import ../../secrets/secrets.nix);
+
+        ## FIXME: Remove direct root authentication once the NixOps4 NixOS
+        ## provider supports users with password-less sudo.
+        users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors;
+      };
    };
-
-    nixpkgs = inputs.nixpkgs;
-
-    nixos.module = {
-      imports = [
-        ./nixosConfiguration
-
-        self.nixosModules.ageSecrets
-      ];
-
-      ## Necessary to filter Age secrets.
-      fediversity.hostPublicKey = self.keys.systems.${config.procolixVm.name};
-
-      ## FIXME: Remove direct root authentication once the NixOps4 NixOS
-      ## provider supports users with password-less sudo.
-      users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors;
-    };
-  };
 }
--- a/secrets/flake-part.nix
+++ b/secrets/flake-part.nix
@ -1,39 +0,0 @@
-{
-  inputs,
-  lib,
-  ...
-}:
-
-let
-  inherit (builtins) elem;
-  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
-  inherit (lib.strings) removeSuffix;
-
-  secrets = import ./secrets.nix;
-in
-{
-  flake = {
-    inherit secrets;
-
-    nixosModules.ageSecrets = (
-      { config, ... }:
-      {
-        imports = [ inputs.agenix.nixosModules.default ];
-
-        options.fediversity.hostPublicKey = lib.mkOption {
-          description = ''
-            The host public key of the machine. It is used in particular
-            to filter Age secrets and only keep the relevant ones.
-          '';
-        };
-
-        config.age.secrets = concatMapAttrs (
-          name: secret:
-          optionalAttrs (elem config.fediversity.hostPublicKey secret.publicKeys) ({
-            ${removeSuffix ".age" name}.file = ./. + "/${name}";
-          })
-        ) secrets;
-      }
-    );
-  };
-}