chore: Run nix fmt
All checks were successful
CI / Format Check (push) Successful in 2s
CI / Flake Check (push) Successful in 1m42s
CI / Evaluate Key Configurations (nix-builder) (push) Successful in 13s
CI / Evaluate Key Configurations (nix-desktop1) (push) Successful in 7s
CI / Evaluate Key Configurations (nix-laptop1) (push) Successful in 8s
CI / Evaluate Artifacts (installer-iso-nix-laptop1) (push) Successful in 22s
CI / Evaluate Artifacts (lxc-nix-builder) (push) Successful in 14s
CI / Build and Publish Documentation (push) Successful in 10s
All checks were successful
CI / Format Check (push) Successful in 2s
CI / Flake Check (push) Successful in 1m42s
CI / Evaluate Key Configurations (nix-builder) (push) Successful in 13s
CI / Evaluate Key Configurations (nix-desktop1) (push) Successful in 7s
CI / Evaluate Key Configurations (nix-laptop1) (push) Successful in 8s
CI / Evaluate Artifacts (installer-iso-nix-laptop1) (push) Successful in 22s
CI / Evaluate Artifacts (lxc-nix-builder) (push) Successful in 14s
CI / Build and Publish Documentation (push) Successful in 10s
This commit is contained in:
UGA Innovation Factory
@@ -12,7 +12,7 @@ let
|
||||
# ========== System Public Keys (Age Format) ==========
|
||||
# Convert SSH host keys to age format:
|
||||
# ssh-to-age < secrets/{hostname}/ssh_host_ed25519_key.pub
|
||||
|
||||
|
||||
# Example (replace with actual age keys):
|
||||
# nix-builder = "age1...";
|
||||
# usda-dash = "age1...";
|
||||
@@ -20,7 +20,7 @@ let
|
||||
# ========== User Public Keys (for editing secrets) ==========
|
||||
# These are personal age keys for administrators who need to edit secrets
|
||||
# Generate with: age-keygen
|
||||
|
||||
|
||||
# Example:
|
||||
# admin1 = "age1...";
|
||||
# admin2 = "age1...";
|
||||
|
||||
@@ -24,11 +24,7 @@ let
|
||||
hostname = config.networking.hostName;
|
||||
|
||||
# Read all directories in ./secrets
|
||||
secretDirs =
|
||||
if builtins.pathExists secretsPath then
|
||||
builtins.readDir secretsPath
|
||||
else
|
||||
{ };
|
||||
secretDirs = if builtins.pathExists secretsPath then builtins.readDir secretsPath else { };
|
||||
|
||||
# Filter to only directories (excludes files)
|
||||
isDirectory = name: type: type == "directory";
|
||||
@@ -40,25 +36,23 @@ let
|
||||
let
|
||||
dirPath = secretsPath + "/${dirName}";
|
||||
files = builtins.readDir dirPath;
|
||||
|
||||
|
||||
# Check if there's a default.nix with custom secret configurations
|
||||
hasDefaultNix = files ? "default.nix";
|
||||
customConfigs = if hasDefaultNix then import (dirPath + "/default.nix") else { };
|
||||
|
||||
|
||||
# Only include .age files (exclude .pub public keys and other files)
|
||||
secretFiles = lib.filterAttrs (
|
||||
name: type: type == "regular" && lib.hasSuffix ".age" name
|
||||
) files;
|
||||
secretFiles = lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".age" name) files;
|
||||
in
|
||||
lib.mapAttrs' (
|
||||
name: _:
|
||||
let
|
||||
# Remove .age extension for the secret name
|
||||
secretName = lib.removeSuffix ".age" name;
|
||||
|
||||
|
||||
# Get custom config for this secret if defined
|
||||
customConfig = customConfigs.${secretName} or { };
|
||||
|
||||
|
||||
# Base configuration with file path
|
||||
baseConfig = {
|
||||
file = dirPath + "/${name}";
|
||||
@@ -74,9 +68,7 @@ let
|
||||
dirPath = secretsPath + "/${dirName}";
|
||||
files = if builtins.pathExists dirPath then builtins.readDir dirPath else { };
|
||||
# Only include .pub public key files
|
||||
pubKeyFiles = lib.filterAttrs (
|
||||
name: type: type == "regular" && lib.hasSuffix ".pub" name
|
||||
) files;
|
||||
pubKeyFiles = lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".pub" name) files;
|
||||
in
|
||||
lib.mapAttrsToList (
|
||||
name: _:
|
||||
@@ -128,7 +120,7 @@ let
|
||||
"/etc/ssh/ssh_host_ed25519_key"
|
||||
"/etc/age/identity.key"
|
||||
];
|
||||
|
||||
|
||||
# Combine all paths and remove duplicates
|
||||
allPaths = lib.unique (defaultPaths ++ globalPaths ++ hostPaths);
|
||||
in
|
||||
@@ -151,29 +143,31 @@ in
|
||||
};
|
||||
|
||||
extraSecrets = mkOption {
|
||||
type = types.attrsOf (types.submodule {
|
||||
options = {
|
||||
file = mkOption {
|
||||
type = types.path;
|
||||
description = "Path to the encrypted secret file";
|
||||
type = types.attrsOf (
|
||||
types.submodule {
|
||||
options = {
|
||||
file = mkOption {
|
||||
type = types.path;
|
||||
description = "Path to the encrypted secret file";
|
||||
};
|
||||
mode = mkOption {
|
||||
type = types.str;
|
||||
default = "0400";
|
||||
description = "Permissions mode for the decrypted secret";
|
||||
};
|
||||
owner = mkOption {
|
||||
type = types.str;
|
||||
default = "root";
|
||||
description = "Owner of the decrypted secret file";
|
||||
};
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "root";
|
||||
description = "Group of the decrypted secret file";
|
||||
};
|
||||
};
|
||||
mode = mkOption {
|
||||
type = types.str;
|
||||
default = "0400";
|
||||
description = "Permissions mode for the decrypted secret";
|
||||
};
|
||||
owner = mkOption {
|
||||
type = types.str;
|
||||
default = "root";
|
||||
description = "Owner of the decrypted secret file";
|
||||
};
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "root";
|
||||
description = "Group of the decrypted secret file";
|
||||
};
|
||||
};
|
||||
});
|
||||
}
|
||||
);
|
||||
default = { };
|
||||
description = ''
|
||||
Additional secrets to define manually, beyond the auto-discovered ones.
|
||||
@@ -205,6 +199,8 @@ in
|
||||
let
|
||||
hasSecrets = (builtins.length (builtins.attrNames applicableSecrets)) > 0;
|
||||
in
|
||||
lib.optional (!hasSecrets) "No age-encrypted secrets found in ./secrets/global/ or ./secrets/${hostname}/";
|
||||
lib.optional (
|
||||
!hasSecrets
|
||||
) "No age-encrypted secrets found in ./secrets/global/ or ./secrets/${hostname}/";
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user