Clean up handling of secrets in infra

2025-01-31 16:28:52 +01:00 · 2025-01-31 16:28:52 +01:00 · 564938e52d
commit 564938e52d
parent 8fa7bd4df5
3 changed files with 44 additions and 65 deletions
--- a/flake.nix
+++ b/flake.nix
@ -29,7 +29,6 @@
        ./infra/flake-part.nix
        ./keys/flake-part.nix
        ./services/flake-part.nix
-        ./secrets/flake-part.nix
      ];

      perSystem =
--- a/infra/common/procolixResource.nix
+++ b/infra/common/procolixResource.nix
@ -8,7 +8,9 @@
 }:

 let
-  inherit (lib) attrValues mkOption;
+  inherit (lib) attrValues elem mkOption;
+  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
+  inherit (lib.strings) removeSuffix;

 in
 {
@ -16,29 +18,46 @@ in
    procolixVm = {
      name = mkOption { };
      host = mkOption { };
+
+      hostPublicKey = mkOption {
+        description = ''
+          The host public key of the machine. It is used in particular
+          to filter Age secrets and only keep the relevant ones.
+        '';
+      };
    };
  };

-  config = {
+  config =
+    let
+      hostPublicKey = self.keys.systems.${config.procolixVm.name};
+
+    in
+    {
      type = providers.local.exec;

      ssh = {
        host = config.procolixVm.host;
-      opts = "";
-      hostPublicKey = self.keys.systems.${config.procolixVm.name};
+        hostPublicKey = hostPublicKey;
      };

      nixpkgs = inputs.nixpkgs;

      nixos.module = {
        imports = [
+          inputs.agenix.nixosModules.default
          ./nixosConfiguration
-
-        self.nixosModules.ageSecrets
        ];

-      ## Necessary to filter Age secrets.
-      fediversity.hostPublicKey = self.keys.systems.${config.procolixVm.name};
+        ## Read all the secrets, filter the ones that are supposed to be
+        ## readable with this host's public key, and add them correctly to the
+        ## configuration as `age.secrets.<name>.file`.
+        age.secrets = concatMapAttrs (
+          name: secret:
+          optionalAttrs (elem hostPublicKey secret.publicKeys) ({
+            ${removeSuffix ".age" name}.file = ../../secrets + "/${name}";
+          })
+        ) (import ../../secrets/secrets.nix);

        ## FIXME: Remove direct root authentication once the NixOps4 NixOS
        ## provider supports users with password-less sudo.
--- a/secrets/flake-part.nix
+++ b/secrets/flake-part.nix
@ -1,39 +0,0 @@
-{
-  inputs,
-  lib,
-  ...
-}:
-
-let
-  inherit (builtins) elem;
-  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
-  inherit (lib.strings) removeSuffix;
-
-  secrets = import ./secrets.nix;
-in
-{
-  flake = {
-    inherit secrets;
-
-    nixosModules.ageSecrets = (
-      { config, ... }:
-      {
-        imports = [ inputs.agenix.nixosModules.default ];
-
-        options.fediversity.hostPublicKey = lib.mkOption {
-          description = ''
-            The host public key of the machine. It is used in particular
-            to filter Age secrets and only keep the relevant ones.
-          '';
-        };
-
-        config.age.secrets = concatMapAttrs (
-          name: secret:
-          optionalAttrs (elem config.fediversity.hostPublicKey secret.publicKeys) ({
-            ${removeSuffix ".age" name}.file = ./. + "/${name}";
-          })
-        ) secrets;
-      }
-    );
-  };
-}