longer-term, i want hosts/by-name to define host-specific data that's accessible via the other hosts (things like pubkeys). also the secrets management needs some rethinking. there's really not much point in me specifiying where *exactly* a secret comes from at its use site. i should really be specifying secret store manifests; i.e. "servo.yaml contains secrets X Y and Z", and leaving the rest up to auto-computing.
34 lines
882 B
Nix
34 lines
882 B
Nix
{ config, lib, sane-data, sane-lib, ... }:
|
|
|
|
let
|
|
inherit (builtins) head map mapAttrs tail;
|
|
inherit (lib) concatStringsSep mkMerge reverseList;
|
|
in
|
|
{
|
|
sane.ssh.pubkeys =
|
|
let
|
|
# path is a DNS-style path like [ "org" "uninsane" "root" ]
|
|
keyNameForPath = path:
|
|
let
|
|
rev = reverseList path;
|
|
name = head rev;
|
|
host = concatStringsSep "." (tail rev);
|
|
in
|
|
"${name}@${host}";
|
|
|
|
# [{ path :: [String], value :: String }] for the keys we want to install
|
|
globalKeys = sane-lib.flattenAttrs sane-data.keys;
|
|
domainKeys = sane-lib.flattenAttrs (
|
|
mapAttrs (host: cfg: {
|
|
colin = cfg.ssh.user_pubkey;
|
|
root = cfg.ssh.host_pubkey;
|
|
}) config.sane.hosts
|
|
);
|
|
in mkMerge (map
|
|
({ path, value }: {
|
|
"${keyNameForPath path}" = lib.mkIf (value != null) value;
|
|
})
|
|
(globalKeys ++ domainKeys)
|
|
);
|
|
}
|