Refactor imports and secrets. Add per system properties and role based secret access.

Highlights - No need to update flake for every machine anymore, just add a properties.nix file. - Roles are automatically generated from all machine configurations. - Roles and their secrets automatically are grouped and show up in agenix secrets.nix - Machines and their service configs may now query the properties of all machines. - Machine configuration and secrets are now competely isolated into each machine's directory. - Safety checks to ensure no mixing of luks unlocking secrets and hosts with primary ones. - SSH pubkeys no longer centrally stored but instead per machine where the private key lies for better cleanup.
2023-04-20 22:01:21 -06:00
parent a02775a234
commit 71baa09bd2
42 changed files with 632 additions and 383 deletions
--- a/machines/ponyo/configuration.nix
+++ b/machines/ponyo/configuration.nix
--- a/machines/ponyo/properties.nix
+++ b/machines/ponyo/properties.nix
@@ -0,0 +1,28 @@
+{
+  hostNames = [
+    "ponyo"
+    "ponyo.neet.dev"
+    "git.neet.dev"
+  ];
+
+  arch = "x86_64-linux";
+
+  systemRoles = [
+    "server"
+    "email-server"
+    "iodine"
+    "pia"
+    "nextcloud"
+    "dailybot"
+    "gitea"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";
+
+  remoteUnlock = {
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9LQuuImgWlkjDhEEIbM1wOd+HqRv1RxvYZuLXPSdRi";
+
+    clearnetHost = "unlock.ponyo.neet.dev";
+    onionHost = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
+  };
+}