refactor: move from den based to flake-parts based
This commit is contained in:
+48
-75
@@ -1,85 +1,58 @@
|
||||
{ den, inputs, lib, ... }:
|
||||
{
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
sopsReadersGroup = "sops-users";
|
||||
sopsAdminKeyPath = "/var/lib/sops/keys.txt";
|
||||
in
|
||||
{
|
||||
den.ctx.host.includes = [
|
||||
(den.lib.perHost (
|
||||
{ host, ... }:
|
||||
let
|
||||
missingAdminUsers = lib.filter (userName: !(builtins.hasAttr userName host.users)) host.sopsAdminKeyUsers;
|
||||
hasSharedAdminKey = host.sopsAdminKeyPath != null && host.sopsAdminKeyUsers != [ ];
|
||||
adminKeyDir = if host.sopsAdminKeyPath == null then null else builtins.dirOf host.sopsAdminKeyPath;
|
||||
in
|
||||
{
|
||||
nixos = {
|
||||
imports = [ inputs.sops-nix.nixosModules.sops ];
|
||||
flake.modules.nixos.sopsHost =
|
||||
{
|
||||
lib,
|
||||
host ? {
|
||||
isServer = false;
|
||||
},
|
||||
...
|
||||
}:
|
||||
let
|
||||
useHostSshKey = host.isServer;
|
||||
useAdminKeyFile = !host.isServer;
|
||||
adminKeyDir = builtins.dirOf sopsAdminKeyPath;
|
||||
in
|
||||
{
|
||||
imports = [ inputs.sops-nix.nixosModules.sops ];
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
age =
|
||||
if host.sopsHostSshKeyPath != null then
|
||||
{
|
||||
sshKeyPaths = [ host.sopsHostSshKeyPath ];
|
||||
}
|
||||
else
|
||||
{
|
||||
keyFile = host.sopsAdminKeyPath;
|
||||
};
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
age =
|
||||
lib.optionalAttrs useHostSshKey {
|
||||
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
}
|
||||
// lib.optionalAttrs useAdminKeyFile {
|
||||
keyFile = sopsAdminKeyPath;
|
||||
};
|
||||
};
|
||||
|
||||
users.groups = lib.optionalAttrs hasSharedAdminKey {
|
||||
${sopsReadersGroup} = { };
|
||||
};
|
||||
systemd.tmpfiles.rules = lib.optionals useAdminKeyFile [
|
||||
"d ${adminKeyDir} 0750 root wheel -"
|
||||
"z ${sopsAdminKeyPath} 0640 root wheel -"
|
||||
];
|
||||
};
|
||||
|
||||
users.users = lib.genAttrs host.sopsAdminKeyUsers (_: {
|
||||
extraGroups = [ sopsReadersGroup ];
|
||||
});
|
||||
flake.modules.homeManager.sopsAdmin =
|
||||
{
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports = [ inputs.sops-nix.homeManagerModules.sops ];
|
||||
|
||||
systemd.tmpfiles.rules = lib.optionals hasSharedAdminKey [
|
||||
"d ${adminKeyDir} 0750 root ${sopsReadersGroup} -"
|
||||
"z ${host.sopsAdminKeyPath} 0640 root ${sopsReadersGroup} -"
|
||||
];
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
age.keyFile = sopsAdminKeyPath;
|
||||
};
|
||||
|
||||
assertions = [
|
||||
{
|
||||
assertion = host.sopsAdminKeyUsers == [ ] || host.sopsAdminKeyPath != null;
|
||||
message = "Hosts with sopsAdminKeyUsers must set sopsAdminKeyPath.";
|
||||
}
|
||||
{
|
||||
assertion = missingAdminUsers == [ ];
|
||||
message =
|
||||
"All sopsAdminKeyUsers must exist on the host. Missing: "
|
||||
+ lib.concatStringsSep ", " missingAdminUsers;
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
))
|
||||
];
|
||||
|
||||
den.ctx.user.includes = [
|
||||
(den.lib.perUser (
|
||||
{ host, user, ... }:
|
||||
if builtins.elem user.userName host.sopsAdminKeyUsers then
|
||||
{
|
||||
homeManager =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
imports = [ inputs.sops-nix.homeManagerModules.sops ];
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
age.keyFile = host.sopsAdminKeyPath;
|
||||
};
|
||||
|
||||
home.sessionVariables.SOPS_AGE_KEY_FILE = host.sopsAdminKeyPath;
|
||||
|
||||
home.packages = [ pkgs.sops ];
|
||||
};
|
||||
}
|
||||
else
|
||||
{ }
|
||||
))
|
||||
];
|
||||
home.sessionVariables.SOPS_AGE_KEY_FILE = sopsAdminKeyPath;
|
||||
home.packages = [ pkgs.sops ];
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user