32 lines
948 B
Nix
32 lines
948 B
Nix
let
|
|
pkgs = import <nixpkgs> { };
|
|
inherit (pkgs) lib;
|
|
var = import ./var { inherit lib; };
|
|
ssh-keys = var.ssh-keys;
|
|
keys = ssh-keys.root;
|
|
trusted-keys = ssh-keys.desktops.root;
|
|
secrets = [
|
|
"hd-password"
|
|
"roam/firefox-sync-secret"
|
|
"roam/forgejo-mailer-password"
|
|
"roam/mullvad-vpn-key"
|
|
"roam/miniflux-admin-creds"
|
|
"roam/nextcloud-admin-password"
|
|
"roam/rclone-conf"
|
|
"tlskey"
|
|
];
|
|
trusted-secrets = [
|
|
# Can only be decrypted by clients
|
|
"syncthing-password"
|
|
];
|
|
mkSecrets = k: s: lib.mergeAttrsList (map (x: { "secrets/${x}.age".publicKeys = k; }) s);
|
|
mkSyncthingSecret = client: {
|
|
"secrets/syncthing/${client}.age".publicKeys = [ ssh-keys.by-host.root.${client} ];
|
|
};
|
|
syncthingSecrets = lib.mergeAttrsList (map mkSyncthingSecret (lib.attrNames var.syncthing.managed));
|
|
in
|
|
lib.mergeAttrsList [
|
|
(mkSecrets keys secrets)
|
|
(mkSecrets trusted-keys trusted-secrets)
|
|
syncthingSecrets
|
|
]
|