diff --git a/hosts/build02/nixpkgs-update-backup.nix b/hosts/build02/nixpkgs-update-backup.nix index fe27bdcf6..6d9336045 100644 --- a/hosts/build02/nixpkgs-update-backup.nix +++ b/hosts/build02/nixpkgs-update-backup.nix @@ -3,7 +3,7 @@ # 100GB storagebox is attached to the build02 server age.secrets.hetzner-borgbackup-ssh = { - file = "${toString inputs.self}/secrets/hetzner-borgbackup-ssh.age"; + file = "${inputs.self}/secrets/hetzner-borgbackup-ssh.age"; }; systemd.services.borgbackup-job-nixpkgs-update = { diff --git a/hosts/build02/nixpkgs-update.nix b/hosts/build02/nixpkgs-update.nix index cc35006e1..f106249f0 100644 --- a/hosts/build02/nixpkgs-update.nix +++ b/hosts/build02/nixpkgs-update.nix @@ -6,7 +6,7 @@ ... }: let - userLib = import "${toString inputs.self}/users/lib.nix" { inherit lib; }; + userLib = import "${inputs.self}/users/lib.nix" { inherit lib; }; nixpkgs-update-bin = "/var/lib/nixpkgs-update/bin/nixpkgs-update"; diff --git a/hosts/web02/secrets.yaml b/hosts/web02/secrets.yaml deleted file mode 100644 index bacd24b43..000000000 --- a/hosts/web02/secrets.yaml +++ /dev/null @@ -1,68 +0,0 @@ -nix-community-matrix-bot-token: ENC[AES256_GCM,data:p9sQnsEIJEGi6AYLxemCN/zkf+lx6dEjrIVfFD28DWtOvCxIy7QKImWIMsbOjWHW/0sjHQYoGwDBrrBzpYed3+AK38J+WEnCi6MSGQ==,iv:BdV3bMjuXFLFTvcXLL/2l08qonIXHFtUvpj2QM0n3Ws=,tag:EhCwGinqZZuLa5CIpCaKeA==,type:str] -nginx-basic-auth-file: ENC[AES256_GCM,data:andS+j0bOp4m7Xty1RuAmyNGz36rUChhl4dtY+mvguHzei2lYDfdZWilx2VUFT5mmsWCeyrT5otVVg==,iv:BuawT6dsaI6s/vXbfG2HijUBzHec2D47w8KRj6Bba2Y=,tag:PjkfdKhjWmP6+NKFGEPijg==,type:str] -nginx-basic-auth-password: ENC[AES256_GCM,data:ne6h4KoBo7dNkrKhe4thFkgE/EmIOkfzDh0Bag==,iv:ZsHANsb6PI4a84K81fM1PHtPPa0mi8nYLfh1A9CbaqY=,tag:IYQyFasarwh/EPZ3iUNX3Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age158v8dpppnw3yt2kqgqekwamaxpst5alfrnvvt7z36wfdk4veydrsqxc2tl - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtTHNIYkY2eE1rWnVDVlk1 - ZXg0ZFJEQ0JlNEYwOFZRNUh3K0I5L2lKNkFrCkl1c01YNDZobHM2djhSdGEyVklL - V1I0UzRqY0hxUm1oajZNZXB0a2JyeGsKLS0tIDlPUU1XVStkZUppM09NclkyRDFu - UC80VU01SS96dytmWkdHeHBkZzlsT2sKTbRmdfN5l3tFqi0bXQ5FQheunbabSBZ4 - bGpju602wejkNx9L3rmHQCVTkRncr4UqYVeezRLq8rdBsPePsssYnQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTHR5Zm0yR1crQi9ITjQx - Zlh2SXpnN1pmSGRseHFRTzhKMFhNL0h5d0hBCm0vQWNmSVhaTm4yN3pVeHhZbk5r - ZE9zM2VXSU9RV2IzMXlQNFFhNXZGeEkKLS0tIC9JNm9VVEFZM0FPSjJSS2VkbkVD - THNidzhQempPdmQzdklKSUJlTThjaXMKJ1DzntjD0Zca0NVNUIcMj1gAErnFqcfi - 1f7w5PLIJZ0zTR+c2ozAYj+O/lD6cxA9q3cgdkFJRDIG/UP0sHuQ+w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1d87z3zqlv6ullnzyng8l722xzxwqr677csacf3zf3l28dau7avfs6pc7ay - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbUJ4RGVKcFFHeUUwTC8x - Sy9rUjg1elo2eW9kNmw4RklCbVRNUjdQQXpnCjBzQ1p3VDFxUkdyeXZLVUNta2l6 - dmtLYUE2L29ueFp1OWtHRHB6SCtvekkKLS0tIFc0a3EzengwR1cwekxqeEQ4YWhn - T21CNzNCU2NqeWwzMEw4UkJjcnlSd0UKf+1tn7/+0+RDWU0PLk2zGqOaXNLnhqK9 - IhvbJrI+/dsY7fsPxR9c+p3z8TFltb3Q0jgUlmcujQ1VyTJB9qiu2Q== - -----END AGE ENCRYPTED FILE----- - - recipient: age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybHRHZUU0dEFzdXIxQWtL - RGRKZm9uWVRWd0tDTDVPdFJGT1liY01HbUI4CkY3SFFwS1Y2UGprUDhkdlFibXBT - MWZUbDdEb2JBZ2x1VFJsWVVtZUY5NXcKLS0tIDdTY21jc2llM3ZoeUhpbzBnMTFQ - am5LMVgyVGRhdnRVUjZ6QlFWbDVTWE0KF6gctt/6t9WGhNQMXdfk+KctwUYKnEGq - ed+xCZ7flm2ifY3l8baaX1jVaYU56xsNnhNGyxVzfgbDOXnlPEcN+w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1m7xhem3qll35d539f364pm6txexvnp6k0tk34d8jxu4ry3pptv7smm0k5n - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZ1dDQVZLN3RCYVo5bkFm - ZkZYNlUwYU9adnZqck5kYjM4OHAwSWtta2c4CmltckJnRTZnR2VVSnZjYnZwQnFB - OXJkZHpkSVdFN29qMkZ2c2JzcFB6OTgKLS0tIHY5SVB3TGp6L2txeU1YUmJBNitr - dFIwN1BIb1dWc1hPZUYxWU9ob0xVR28KnsuH74n4c0beUwyAoN6j4BbUYUFRmJA2 - 6RFl032mjGu/k2eeGc5gV8CqBtyOTualqWt9P/+efWrVT4p1FMsbDg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dzvjjum2p240qtdt2qcxpm7pl2s5w36mh4fs3q9dhhq0uezvdqaq9vrgfy - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsZmxhWFZ1WE5adXhlaUpp - cno1VDBtY0I4Q253UW9SaUc3UzZyc0tyamtVClprLzkvOCthanRha3JGWU85YmVh - OTFLSldvREhiNFk0TU9ZTW5rd25oN0kKLS0tIEFMbXBlaWNQQWJqYUlJRi9ZcW84 - QnJZZzN1a1M5b1dwa3hvL3ZHYkpxQUkK1g9sQB0UHl9coaznjIn4WDpQv21Y8cl9 - LNqnv0Q6KrxNliq2JEJoEpjD5+xTcqV/5FgylKhtdNWUZ0eAX8taog== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-30T03:19:37Z" - mac: ENC[AES256_GCM,data:TScUSdUv+SEG2MJ5MdCP7/zuCDG857erbLYG1Vp3/4d3Pvq//Jp5nVtnFSw9Y63Do/r1gzfmiU/B4HFbn40hVo7+/KjKOl8wb9qUheh2UaW+m+gd05mDjjQvrnTVjJJ8/Rj4/kFYvYzsPag8KY37CG0dBqiE7esyk9hUf7kv/4w=,iv:gCsM4oGq0zAR1r0E5xeKAGezXSyh9Eqho/rsU+3x3E8=,tag:A/0KP15zdJUpS3fc9z6/0A==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/modules/darwin/hercules-ci.nix b/modules/darwin/hercules-ci.nix index ede2ddf83..a68140ba8 100644 --- a/modules/darwin/hercules-ci.nix +++ b/modules/darwin/hercules-ci.nix @@ -1,14 +1,14 @@ { config, inputs, ... }: { age.secrets.hercules-binary-caches = { - file = "${toString inputs.self}/secrets/hercules-binary-caches.age"; + file = "${inputs.self}/secrets/hercules-binary-caches.age"; mode = "600"; owner = "_hercules-ci-agent"; group = "_hercules-ci-agent"; }; age.secrets.hercules-cluster-join-token = { - file = "${toString inputs.self}/secrets/hercules-cluster-join-token.age"; + file = "${inputs.self}/secrets/hercules-cluster-join-token.age"; mode = "600"; owner = "_hercules-ci-agent"; group = "_hercules-ci-agent"; diff --git a/modules/nixos/common/sops-nix.nix b/modules/nixos/common/sops-nix.nix index 6858440ea..1e1e81a17 100644 --- a/modules/nixos/common/sops-nix.nix +++ b/modules/nixos/common/sops-nix.nix @@ -5,7 +5,7 @@ ... }: let - defaultSopsPath = "${toString inputs.self}/hosts/${config.networking.hostName}/secrets.yaml"; + defaultSopsPath = "${inputs.self}/hosts/${config.networking.hostName}/secrets.yaml"; in { imports = [ diff --git a/modules/nixos/common/users.nix b/modules/nixos/common/users.nix index 29f321abd..9f116ac42 100644 --- a/modules/nixos/common/users.nix +++ b/modules/nixos/common/users.nix @@ -1,7 +1,7 @@ { inputs, lib, ... }: let - usersDir = "${toString inputs.self}/users"; + usersDir = "${inputs.self}/users"; userImports = let toUserPath = f: usersDir + "/${f}"; diff --git a/modules/nixos/github-org-backup.nix b/modules/nixos/github-org-backup.nix index 9de2c55e1..469868ebc 100644 --- a/modules/nixos/github-org-backup.nix +++ b/modules/nixos/github-org-backup.nix @@ -32,7 +32,7 @@ }; age.secrets.hetzner-borgbackup-ssh = { - file = "${toString inputs.self}/secrets/hetzner-borgbackup-ssh.age"; + file = "${inputs.self}/secrets/hetzner-borgbackup-ssh.age"; }; systemd.services.borgbackup-job-github-org = { diff --git a/modules/nixos/hercules-ci.nix b/modules/nixos/hercules-ci.nix index 6f7a88aaa..5d5d00658 100644 --- a/modules/nixos/hercules-ci.nix +++ b/modules/nixos/hercules-ci.nix @@ -1,17 +1,17 @@ { config, inputs, ... }: { age.secrets.hercules-binary-caches = { - file = "${toString inputs.self}/secrets/hercules-binary-caches.age"; + file = "${inputs.self}/secrets/hercules-binary-caches.age"; owner = "hercules-ci-agent"; }; age.secrets.hercules-cluster-join-token = { - file = "${toString inputs.self}/secrets/hercules-cluster-join-token.age"; + file = "${inputs.self}/secrets/hercules-cluster-join-token.age"; owner = "hercules-ci-agent"; }; age.secrets.hercules-secrets = { - file = "${toString inputs.self}/secrets/hercules-secrets.age"; + file = "${inputs.self}/secrets/hercules-secrets.age"; owner = "hercules-ci-agent"; }; diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix index dd41c545d..18592b7dc 100644 --- a/modules/nixos/monitoring/default.nix +++ b/modules/nixos/monitoring/default.nix @@ -8,12 +8,15 @@ ./telegraf.nix ]; - sops.secrets.nginx-basic-auth-file.owner = "nginx"; + age.secrets.nginx-basic-auth-file = { + file = "${inputs.self}/secrets/nginx-basic-auth-file.age"; + owner = "nginx"; + }; services.nginx.virtualHosts."monitoring.nix-community.org" = { locations."/".return = "302 https://nix-community.org/monitoring"; locations."/alertmanager/" = { - basicAuthFile = config.sops.secrets.nginx-basic-auth-file.path; + basicAuthFile = config.age.secrets.nginx-basic-auth-file.path; proxyPass = "http://localhost:9093/"; }; locations."/prometheus/".proxyPass = "http://localhost:9090/"; diff --git a/modules/nixos/monitoring/matrix-hook.nix b/modules/nixos/monitoring/matrix-hook.nix index 28b93e39b..cc3f5e2eb 100644 --- a/modules/nixos/monitoring/matrix-hook.nix +++ b/modules/nixos/monitoring/matrix-hook.nix @@ -1,9 +1,16 @@ -{ config, pkgs, ... }: +{ + config, + inputs, + pkgs, + ... +}: let matrixHook = pkgs.matrix-hook; in { - sops.secrets.nix-community-matrix-bot-token = { }; + age.secrets.nix-community-matrix-bot-token = { + file = "${inputs.self}/secrets/nix-community-matrix-bot-token.age"; + }; users.users.matrix-hook = { isSystemUser = true; @@ -27,7 +34,7 @@ in serviceConfig = { Type = "simple"; ExecStart = "${matrixHook}/bin/matrix-hook"; - EnvironmentFile = [ config.sops.secrets.nix-community-matrix-bot-token.path ]; + EnvironmentFile = [ config.age.secrets.nix-community-matrix-bot-token.path ]; Restart = "always"; RestartSec = "10"; User = "matrix-hook"; diff --git a/secrets.yaml b/secrets.yaml index 603bc1636..a6a1e2300 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -8,6 +8,7 @@ accounts: - name: ENC[AES256_GCM,data:BGA/HMgie64=,iv:c+utmChiZA73GRS4uzZDyfdU+DZaDpB3WljC2uye8o0=,tag:lr1w5TWr05lpfBNLK0Swxw==,type:str] totpsecret: ENC[AES256_GCM,data:Q5aJq9sLmW/0oMIgy4FErA==,iv:cFhVj/QV4tMjvB/Y8ExOSSLArvjxCV8+39YtMaADK04=,tag:aPJFH7WhaBYAW7eYsGzGYg==,type:str] emergency_access_password: ENC[AES256_GCM,data:ELpkrEQjFQwDicz3WeJoivrZBAWeAKkfFg==,iv:rzbKvnS5IBjUCCT2NAHINZs60F0jrRPJvZ1wnBa6xkI=,tag:hWax9+gTRhuhtIikP/jO/Q==,type:str] +nginx-basic-auth-password: ENC[AES256_GCM,data:THXCfzuXXEsEARk1Hz4eEtzqqzzbf/IF0hHy,iv:mvOu8CSomzUYzpt1PkhSeBMgwHluUtTQZHozi6Am+RM=,tag:itQJu7Dp/N48BJMYTleuqw==,type:str] ssh_host_ed25519_key: build01: ENC[AES256_GCM,data:5rG0+Iw8uVKXTrT5A/uvbz9MJZHPyTBPKIxSbMIgvwEVHDsCENDihxL5C00PisZ4dgMIW1WQIvD3zLtJ5RxedY832K9dwO36lWH2uHZW96qlObnTqMpi0vtsZQ1FQVUtNWPj146uz7QyasisFu6CFFMBBbx6y5ZAipfJ+bsth7YliCMPL+1bM84b8a40m3k9gI4xpYH9txrq1+yvTLau25rNsmAq4oHDGKEZqRoN2WflBZLP0DL3zQ/8uPODUjOmyFpKnbDeKsDQ3RuFcPaLZOGEBruayYldxiv215pdFgw72TbvtLXc726y7bUTOvsOiLfVMdfiXZCRPzVbjGB+NLtiyz9hlCa5WdJrQmLceqC/v5zy1TbV0azlZCDNopw1yznLn8fPA8KIYJUGw+PkdKPDFKRn+F78+5QG4wpYFK9qZ/vaukvpuZrUdboFIU/qFdjplrGhniYfbh7enIGhnd2Y+qLC92IG0SQPVpI2fQNx7h3MD2V9w2spk8hZ4QGWsA4JU0fJ9mKY4w6eElGLggzT15vuCrrJx4zbThSfyVYHmlE=,iv:ksSPKFNHdy646BU2x0fr6ey+kif1jpPhlsQ5Kmxjqd4=,tag:2SL/1x4/9LoNqfHPMk8H8Q==,type:str] build02: ENC[AES256_GCM,data:kwc1rs7xbKod7+vV9yDNqAZMmTqencDe6LTMqxihNLuvGny1atjJ/4cf2vnWEyPar4AvqLtawbIexowbpgyzIiJBKskw0voUgUan0TMH7dsjeZtcdnBSsGWDlcBSjq8bK+yfNMWxwaq7FB9eTJkhN41UhQwqXIVpitEJg0LQcz7+BeQnYhCMnMOc+AG78zIZK+lbzAikejFJUV1A0/kmEl9VirBTpGqxhsiPUSCpAq9c3mE16f31YF9bUn9Dr/4gLW42xxbt/+6psDstKlKgfldzC+izCCCfL1qKcKz7RtyLX37O1MkQqLWvC5I5XRt81tKPOgmtjtGSM0iYmx9zy6FKGJlWqHGNb5K+g1NugWuKMzkBQNoWIypS/yHUY9R3eLa6JJM+tfE/Hvw4Q6/4HGBePMauULd/sgTC8D6o+6023a9ZdC6vdwAWzgWzhbG8uN8vjRR9JKy8/tzgzWJsR4PvPFw9ka0HbRMjigmMxZ817Z6iB2BcO2xmJvD5hP2YpPKCNLQzUznq0vh1s91C,iv:cQERNZJUQ0TJW0pbEzJF6O+1Idkt2e+I06+Kjygr4lk=,tag:2X4KhuEd/0153sCT7qeyqQ==,type:str] @@ -111,8 +112,8 @@ sops: MkcvL1JyVFBJV0Y5RFFCMGN1OUFXdU0Kdx1wy6ZOOTg1a6VKaq52SMBvC26lMsW/ oMP+hmXc2WtoqZp+jZ9rrXz6cZW6/dO7CPqxl3aUEKg6BkXIwgyKeg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-16T07:30:20Z" - mac: ENC[AES256_GCM,data:nzK1E2M4gnsY/z6KG8uMsOau+Q96u/gRmXue9jA0BKEErEWA2AYg5p9Ig+pRWwhq1BdEN9PbjKBmuEmSTWdfFijbM7NaRSHelpUIccfoiMMW51/MHFiEMt7euCLE2i9O7q1Vx7br+NaHu+fqctrx1ikOXaWNhM6Q6NJ1NY0Z5dU=,iv:1S1NsVtILala9zBFMfEqxpokscpPW+Frq+T1qyrmVYI=,tag:87SYZkvSdqYldcVJnnw2/A==,type:str] + lastmodified: "2024-10-26T00:28:59Z" + mac: ENC[AES256_GCM,data:Ds3v0YTPxlpV+QTtRs1Lq3LyvnVXVU4Hp37mGOwrAgD76ek19dyMPVeJu1Q9QZwYcoSrq7GccQvo/GfTM+WVxW48B3aH+qeUye9RcdV6SYLmtQANhUyyBQurzyN7sJt2qyOWsE/VpF3NViUMkVYhLqwd/wYIiaEVmCaEpkjHp38=,iv:Vhoj+Vm8n8VcQZhmGOZU9OVZ0S+VxrZEZ178yx8aezk=,tag:D4p7Az+LqC7eQkI2QIyVfA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.0 + version: 3.9.1 diff --git a/secrets/nginx-basic-auth-file.age b/secrets/nginx-basic-auth-file.age new file mode 100644 index 000000000..83ac83aef --- /dev/null +++ b/secrets/nginx-basic-auth-file.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 meza2g tOhoYzkG+lCD2ONeWe32iOT+qCOvFFM2MOSTMw86ck4 +N4xw2JWB0BvQy12lIb1CS4QifkiFCHHHYBep9XzhpFI +-> ssh-rsa ALNSWw +lzYsNzDw+FQRwcgk2ezjfw4fr5PundiR+As4Xa/OCsHFZa94QVhBVlFzgtB5nO8s +wnoENRSQIkYqzJtGxAF8VGOvGpOsuIxNLNy/AvN4YeXYVvhPlpZjRmkCKpWG2r1w +gprc+2VdUVjeUJiWYYhCZdn62yMXS0HI+aC8eLghtovl4dhWKh4sq8SMlNtzHLKZ +D1nLY2rDNM+u00NEMMTOr879zfp4LHAsaol0HJrc3BnC1KmyYFd4dTivwVEU1X/r +jw+mv8duQrbXJHckf8si7GuwQxsA0eDxKQb0y8F2hIMAkmAUMsvrJF0kyPS3UGyp +qkby51wMLIOzzvcrgJ9KJQ +-> ssh-ed25519 Qi7vNw hiomOFHJB1MuK7rf6x6lDr6CvTMo3CN9x4/rYov6lD4 +ILX7g5TugewxzJuHF3Og06135rohMLs+vhnrcGlTO6s +-> ssh-ed25519 MW0fCg 5gofg/CnnH3aI7WnAMqHd5P7Gvyb9XV8M7v1FF8TdXU +wwLUGvVGngz1rMZa0eIVSwf0TmUqQHTPjZDgubtoMgk +-> ssh-ed25519 92bXiA OcbjXruCXI43g/mJC/I65m7I/p04OHNWUXZuFa2vUEM +5+NimqArjB+cbSNMh53LUmmBlXiecjdjcilS9zYVE2w +-> ssh-ed25519 h1lenA mtoPhHkVeGkSwirRAvcfHgwdZrmWalB8KEwBFfix2xE +FyCMnN2MzQmuCjYF+cElRl1wAPumz8mAgJFzMcUXfk0 +--- u5BHJScdFfK3/JdJs5dLFGTGUmX0wPAo5jra3cmYI1c +`2Λ κw̐b3f6y:1qiA 9GwWeS鯙m~ף,f%=QO6 \ No newline at end of file diff --git a/secrets/nix-community-matrix-bot-token.age b/secrets/nix-community-matrix-bot-token.age new file mode 100644 index 000000000..080c7efe7 Binary files /dev/null and b/secrets/nix-community-matrix-bot-token.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e61242723..f175de626 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,16 +1,12 @@ let - adisbladis = builtins.readFile ../users/keys/adisbladis; - mic92 = builtins.readFile ../users/keys/mic92; - ryantm = builtins.readFile ../users/keys/ryantm; - zimbatm = builtins.readFile ../users/keys/zimbatm; - zowoq = builtins.readFile ../users/keys/zowoq; + users = map (name: builtins.readFile ../users/keys/${name}) userNames; - users = [ - adisbladis - mic92 - ryantm - zimbatm - zowoq + userNames = [ + "adisbladis" + "mic92" + "ryantm" + "zimbatm" + "zowoq" ]; inherit ((import ../modules/shared/known-hosts.nix).programs.ssh) knownHosts; @@ -19,24 +15,35 @@ let build03 = knownHosts.build03.publicKey; build04 = knownHosts.build04.publicKey; darwin02 = knownHosts.darwin02.publicKey; + web02 = knownHosts.web02.publicKey; + + secrets = { + hercules-binary-caches = [ + build03 + build04 + darwin02 + ]; + hercules-cluster-join-token = [ + build03 + build04 + darwin02 + ]; + # hercules-secrets are only needed on linux + hercules-secrets = [ + build03 + build04 + ]; + hetzner-borgbackup-ssh = [ + build02 + build03 + ]; + nginx-basic-auth-file = [ web02 ]; + nix-community-matrix-bot-token = [ web02 ]; + }; in -{ - "hercules-binary-caches.age".publicKeys = users ++ [ - build03 - build04 - darwin02 - ]; - "hercules-cluster-join-token.age".publicKeys = users ++ [ - build03 - build04 - darwin02 - ]; - "hercules-secrets.age".publicKeys = users ++ [ - build03 - build04 - ]; # hercules-secrets are only needed on linux - "hetzner-borgbackup-ssh.age".publicKeys = users ++ [ - build02 - build03 - ]; -} +builtins.listToAttrs ( + map (secretName: { + name = "${secretName}.age"; + value.publicKeys = secrets."${secretName}" ++ users; + }) (builtins.attrNames secrets) +)