UGA-Innovation-Factory/athenix
3
1
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity

chore: Run nix fmt
All checks were successful
CI / Format Check (push) Successful in 2s
Details
CI / Flake Check (push) Successful in 1m42s
Details
CI / Evaluate Key Configurations (nix-builder) (push) Successful in 13s
Details
CI / Evaluate Key Configurations (nix-desktop1) (push) Successful in 7s
Details
CI / Evaluate Key Configurations (nix-laptop1) (push) Successful in 8s
Details
CI / Evaluate Artifacts (installer-iso-nix-laptop1) (push) Successful in 22s
Details
CI / Evaluate Artifacts (lxc-nix-builder) (push) Successful in 14s
Details
CI / Build and Publish Documentation (push) Successful in 10s
Details

Browse Source
This commit is contained in:
UGA Innovation Factory
2026-01-30 19:19:38 +00:00
parent 3efba93424
commit 862ae2c864
2 changed files with 37 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
secrets/secrets.nix
View File

@@ -12,7 +12,7 @@ let
# ========== System Public Keys (Age Format) ========== # ========== System Public Keys (Age Format) ==========
# Convert SSH host keys to age format: # Convert SSH host keys to age format:
# ssh-to-age < secrets/{hostname}/ssh_host_ed25519_key.pub # ssh-to-age < secrets/{hostname}/ssh_host_ed25519_key.pub
# Example (replace with actual age keys): # Example (replace with actual age keys):
# nix-builder = "age1..."; # nix-builder = "age1...";
# usda-dash = "age1..."; # usda-dash = "age1...";
@@ -20,7 +20,7 @@ let
# ========== User Public Keys (for editing secrets) ========== # ========== User Public Keys (for editing secrets) ==========
# These are personal age keys for administrators who need to edit secrets # These are personal age keys for administrators who need to edit secrets
# Generate with: age-keygen # Generate with: age-keygen
# Example: # Example:
# admin1 = "age1..."; # admin1 = "age1...";
# admin2 = "age1..."; # admin2 = "age1...";

74
sw/secrets.nix
View File

@@ -24,11 +24,7 @@ let
hostname = config.networking.hostName; hostname = config.networking.hostName;
# Read all directories in ./secrets # Read all directories in ./secrets
secretDirs = secretDirs = if builtins.pathExists secretsPath then builtins.readDir secretsPath else { };
if builtins.pathExists secretsPath then
builtins.readDir secretsPath
else
{ };
# Filter to only directories (excludes files) # Filter to only directories (excludes files)
isDirectory = name: type: type == "directory"; isDirectory = name: type: type == "directory";
@@ -40,25 +36,23 @@ let
let let
dirPath = secretsPath + "/${dirName}"; dirPath = secretsPath + "/${dirName}";
files = builtins.readDir dirPath; files = builtins.readDir dirPath;
# Check if there's a default.nix with custom secret configurations # Check if there's a default.nix with custom secret configurations
hasDefaultNix = files ? "default.nix"; hasDefaultNix = files ? "default.nix";
customConfigs = if hasDefaultNix then import (dirPath + "/default.nix") else { }; customConfigs = if hasDefaultNix then import (dirPath + "/default.nix") else { };
# Only include .age files (exclude .pub public keys and other files) # Only include .age files (exclude .pub public keys and other files)
secretFiles = lib.filterAttrs ( secretFiles = lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".age" name) files;
name: type: type == "regular" && lib.hasSuffix ".age" name
) files;
in in
lib.mapAttrs' ( lib.mapAttrs' (
name: _: name: _:
let let
# Remove .age extension for the secret name # Remove .age extension for the secret name
secretName = lib.removeSuffix ".age" name; secretName = lib.removeSuffix ".age" name;
# Get custom config for this secret if defined # Get custom config for this secret if defined
customConfig = customConfigs.${secretName} or { }; customConfig = customConfigs.${secretName} or { };
# Base configuration with file path # Base configuration with file path
baseConfig = { baseConfig = {
file = dirPath + "/${name}"; file = dirPath + "/${name}";
@@ -74,9 +68,7 @@ let
dirPath = secretsPath + "/${dirName}"; dirPath = secretsPath + "/${dirName}";
files = if builtins.pathExists dirPath then builtins.readDir dirPath else { }; files = if builtins.pathExists dirPath then builtins.readDir dirPath else { };
# Only include .pub public key files # Only include .pub public key files
pubKeyFiles = lib.filterAttrs ( pubKeyFiles = lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".pub" name) files;
name: type: type == "regular" && lib.hasSuffix ".pub" name
) files;
in in
lib.mapAttrsToList ( lib.mapAttrsToList (
name: _: name: _:
@@ -128,7 +120,7 @@ let
"/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key"
"/etc/age/identity.key" "/etc/age/identity.key"
]; ];
# Combine all paths and remove duplicates # Combine all paths and remove duplicates
allPaths = lib.unique (defaultPaths ++ globalPaths ++ hostPaths); allPaths = lib.unique (defaultPaths ++ globalPaths ++ hostPaths);
in in
@@ -151,29 +143,31 @@ in
}; };
extraSecrets = mkOption { extraSecrets = mkOption {
type = types.attrsOf (types.submodule { type = types.attrsOf (
options = { types.submodule {
file = mkOption { options = {
type = types.path; file = mkOption {
description = "Path to the encrypted secret file"; type = types.path;
description = "Path to the encrypted secret file";
};
mode = mkOption {
type = types.str;
default = "0400";
description = "Permissions mode for the decrypted secret";
};
owner = mkOption {
type = types.str;
default = "root";
description = "Owner of the decrypted secret file";
};
group = mkOption {
type = types.str;
default = "root";
description = "Group of the decrypted secret file";
};
}; };
mode = mkOption { }
type = types.str; );
default = "0400";
description = "Permissions mode for the decrypted secret";
};
owner = mkOption {
type = types.str;
default = "root";
description = "Owner of the decrypted secret file";
};
group = mkOption {
type = types.str;
default = "root";
description = "Group of the decrypted secret file";
};
};
});
default = { }; default = { };
description = '' description = ''
Additional secrets to define manually, beyond the auto-discovered ones. Additional secrets to define manually, beyond the auto-discovered ones.
@@ -205,6 +199,8 @@ in
let let
hasSecrets = (builtins.length (builtins.attrNames applicableSecrets)) > 0; hasSecrets = (builtins.length (builtins.attrNames applicableSecrets)) > 0;
in in
lib.optional (!hasSecrets) "No age-encrypted secrets found in ./secrets/global/ or ./secrets/${hostname}/"; lib.optional (
!hasSecrets
) "No age-encrypted secrets found in ./secrets/global/ or ./secrets/${hostname}/";
}; };
} }