# run `nix eval --file secrets.nix` to check that the file is properly generated let inherit (builtins) all any attrValues concatMap elem elemAt filter getFlake hasAttr isList length listToAttrs split ; flake = getFlake (toString ../.); last = list: elemAt list (length list - 1); flatten = x: if isList x then concatMap flatten x else [ x ]; unique = list: let go = acc: remaining: if remaining == [ ] then acc else let head = builtins.head remaining; tail = builtins.tail remaining; in if elem head acc then go acc tail else go (acc ++ [ head ]) tail; in go [ ] list; hostsWithRequiredAttrs = requiredAttrs: hosts: filter (host: all (attr: hasAttr attr host) requiredAttrs) hosts; hostConfigsList = (map (host: host.config) (attrValues flake.nixosConfigurations)) ++ (map (host: host.config) (attrValues flake.darwinConfigurations)); hostsWithSecrets = hostsWithRequiredAttrs [ "publicKey" "age" ] hostConfigsList; toLocalSecretPath = path: last (split "/secrets/" path); secretsList = unique ( flatten ( map ( host: map (secret: toLocalSecretPath (toString secret.file)) (attrValues host.age.secrets) ) hostsWithSecrets ) ); getPublicKeysForSecret = secretName: let hostsUsingSecret = filter ( host: any (secret: secretName == toLocalSecretPath (toString secret.file)) (attrValues host.age.secrets) ) hostsWithSecrets; in unique (map (host: host.publicKey) hostsUsingSecret); fcuny = [ "age1yubikey1qv92lk8ckjm2qs900h89pz9myl3nfjnz7fc0eluppexyfgc0pfnjusaje3w" "age1yubikey1qd30fnnxd2uh9lgw0dr7nwvmn003rmzkrg87xfw67gdsf7u0lhm3kd4w8ul" "age1yubikey1qwrxced5j32ks5cc5aqffwz68yva9ukkz6tx5xm2sjn8swl2evtlsjlmsy9" ]; in listToAttrs ( map (secretName: { name = secretName; value.publicKeys = fcuny ++ (getPublicKeysForSecret secretName); }) secretsList )