51 lines
1.3 KiB
Nix
51 lines
1.3 KiB
Nix
{
|
|
lib,
|
|
pkgs,
|
|
config,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib) mkOption;
|
|
userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
|
|
liamKey = config.vacu.ssh.knownHosts.liam.publicKey;
|
|
ssh-to-age = lib.getExe pkgs.ssh-to-age;
|
|
sopsConfig =
|
|
pkgs.runCommand "sops.yaml" { env.sshUserKeys = lib.concatStringsSep "\n" userKeys; }
|
|
''
|
|
set -xe
|
|
liamKey="$(echo "${liamKey}" | ${ssh-to-age})"
|
|
declare -a userKeys
|
|
mapfile -t userKeys < <(echo "$sshUserKeys" | ${ssh-to-age})
|
|
declare -p userKeys
|
|
cat <<END >> $out
|
|
creation_rules:
|
|
- path_regex: ^secrets/misc/
|
|
key_groups:
|
|
- age:
|
|
END
|
|
for k in "''${userKeys[@]}"; do
|
|
echo " - $k" >> $out
|
|
done
|
|
cat <<END >> $out
|
|
- path_regex: ^secrets/liam/
|
|
key_groups:
|
|
- age:
|
|
- $liamKey
|
|
END
|
|
for k in "''${userKeys[@]}"; do
|
|
echo " - $k" >> $out
|
|
done
|
|
cat <<END >> $out
|
|
- path_regex: ^tests/test_secrets
|
|
key_groups:
|
|
- age: age1eqv5759uknu7d46rqyyzsmgt43qumsge33yp2xygapprnt8zu3sqx6kt8w
|
|
END
|
|
'';
|
|
in
|
|
{
|
|
options.vacu.sopsConfig = mkOption {
|
|
readOnly = true;
|
|
default = sopsConfig;
|
|
};
|
|
}
|