blob: 6c0b0a6201f8215a8d9a5b9fb3081b08529cdea3 (
plain) (
tree)
|
|
# run `nix eval --file secrets.nix` to check that the file is properly generated
let
inherit (builtins)
all
any
attrValues
concatMap
elem
elemAt
filter
getFlake
hasAttr
isList
length
listToAttrs
split
;
flake = getFlake (toString ../.);
last = list: elemAt list (length list - 1);
flatten = x: if isList x then concatMap flatten x else [ x ];
unique =
list:
let
go =
acc: remaining:
if remaining == [ ] then
acc
else
let
head = builtins.head remaining;
tail = builtins.tail remaining;
in
if elem head acc then go acc tail else go (acc ++ [ head ]) tail;
in
go [ ] list;
hostsWithRequiredAttrs =
requiredAttrs: hosts: filter (host: all (attr: hasAttr attr host) requiredAttrs) hosts;
hostConfigsList =
(map (host: host.config) (attrValues flake.nixosConfigurations))
++ (map (host: host.config) (attrValues flake.darwinConfigurations));
hostsWithSecrets = hostsWithRequiredAttrs [ "publicKey" "age" ] hostConfigsList;
toLocalSecretPath = path: last (split "/secrets/" path);
secretsList = unique (
flatten (
map (
host: map (secret: toLocalSecretPath (toString secret.file)) (attrValues host.age.secrets)
) hostsWithSecrets
)
);
getPublicKeysForSecret =
secretName:
let
hostsUsingSecret = filter (
host:
any (secret: secretName == toLocalSecretPath (toString secret.file)) (attrValues host.age.secrets)
) hostsWithSecrets;
in
unique (map (host: host.publicKey) hostsUsingSecret);
fcuny = [
"age1yubikey1qv92lk8ckjm2qs900h89pz9myl3nfjnz7fc0eluppexyfgc0pfnjusaje3w"
"age1yubikey1qd30fnnxd2uh9lgw0dr7nwvmn003rmzkrg87xfw67gdsf7u0lhm3kd4w8ul"
"age1yubikey1qwrxced5j32ks5cc5aqffwz68yva9ukkz6tx5xm2sjn8swl2evtlsjlmsy9"
];
in
listToAttrs (
map (secretName: {
name = secretName;
value.publicKeys = fcuny ++ (getPublicKeysForSecret secretName);
}) secretsList
)
|
