secrets: list secrets used on host explicitly
This commit is contained in:
parent
8881850730
commit
096c2abb02
|
@ -9,6 +9,8 @@
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
|
||||||
./home.nix
|
./home.nix
|
||||||
|
|
||||||
|
./secrets.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||||
|
|
19
hosts/boreal/secrets.nix
Normal file
19
hosts/boreal/secrets.nix
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
{ config, lib, options, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
config.age = {
|
||||||
|
secrets =
|
||||||
|
let
|
||||||
|
toSecret = name: { ... }@attrs: {
|
||||||
|
file = ./../../modules/secrets + "/${name}.age";
|
||||||
|
} // attrs;
|
||||||
|
in
|
||||||
|
lib.mapAttrs toSecret {
|
||||||
|
"restic-backup/boreal-credentials" = {};
|
||||||
|
"restic-backup/boreal-password" = {};
|
||||||
|
|
||||||
|
"users/alarsyo-hashed-password" = {};
|
||||||
|
"users/root-hashed-password" = {};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -8,6 +8,7 @@
|
||||||
[ # Include the results of the hardware scan.
|
[ # Include the results of the hardware scan.
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./home.nix
|
./home.nix
|
||||||
|
./secrets.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.kernelPackages = pkgs.linuxPackages;
|
boot.kernelPackages = pkgs.linuxPackages;
|
||||||
|
|
19
hosts/zephyrus/secrets.nix
Normal file
19
hosts/zephyrus/secrets.nix
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
{ config, lib, options, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
config.age = {
|
||||||
|
secrets =
|
||||||
|
let
|
||||||
|
toSecret = name: { ... }@attrs: {
|
||||||
|
file = ./../../modules/secrets + "/${name}.age";
|
||||||
|
} // attrs;
|
||||||
|
in
|
||||||
|
lib.mapAttrs toSecret {
|
||||||
|
"restic-backup/zephyrus-credentials" = {};
|
||||||
|
"restic-backup/zephyrus-password" = {};
|
||||||
|
|
||||||
|
"users/alarsyo-hashed-password" = {};
|
||||||
|
"users/root-hashed-password" = {};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -2,21 +2,6 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
config.age = {
|
config.age = {
|
||||||
secrets =
|
|
||||||
let
|
|
||||||
toName = lib.removeSuffix ".age";
|
|
||||||
userExists = u: builtins.hasAttr u config.users.users;
|
|
||||||
# Only set the user if it exists, to avoid warnings
|
|
||||||
userIfExists = u: if userExists u then u else "root";
|
|
||||||
toSecret = name: { owner ? "root", ... }: {
|
|
||||||
file = ./. + "/${name}";
|
|
||||||
owner = lib.mkDefault (userIfExists owner);
|
|
||||||
};
|
|
||||||
convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v);
|
|
||||||
secrets = import ./secrets.nix;
|
|
||||||
in
|
|
||||||
lib.mapAttrs' convertSecrets secrets;
|
|
||||||
|
|
||||||
identityPaths = options.age.identityPaths.default ++ [
|
identityPaths = options.age.identityPaths.default ++ [
|
||||||
"/home/alarsyo/.ssh/id_ed25519"
|
"/home/alarsyo/.ssh/id_ed25519"
|
||||||
];
|
];
|
||||||
|
|
Loading…
Reference in a new issue