Refactor imports and secrets. Add per system properties and role based secret access.

Highlights - No need to update flake for every machine anymore, just add a properties.nix file. - Roles are automatically generated from all machine configurations. - Roles and their secrets automatically are grouped and show up in agenix secrets.nix - Machines and their service configs may now query the properties of all machines. - Machine configuration and secrets are now competely isolated into each machine's directory. - Safety checks to ensure no mixing of luks unlocking secrets and hosts with primary ones. - SSH pubkeys no longer centrally stored but instead per machine where the private key lies for better cleanup.
2023-04-20 22:01:21 -06:00
parent a02775a234
commit 71baa09bd2
42 changed files with 632 additions and 383 deletions
--- a/machines/phil/configuration.nix
+++ b/machines/phil/configuration.nix
--- a/machines/phil/properties.nix
+++ b/machines/phil/properties.nix
@@ -0,0 +1,19 @@
+{
+  hostNames = [
+    "phil"
+    "phil.neet.dev"
+  ];
+
+  arch = "aarch64-linux";
+
+  systemRoles = [
+    "server"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlOs6mTZCSJL/XM6NysHN0ZNQAyj2GEwBV2Ze6NxRmr";
+
+  remoteUnlock = {
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqy9X/m67oXJBX+OMdIqpiLONYc5aQ2nHeEPAaj/vgN";
+    clearnetHost = "unlock.phil.neet.dev";
+  };
+}