Zuckerberg
71baa09bd2
Highlights - No need to update flake for every machine anymore, just add a properties.nix file. - Roles are automatically generated from all machine configurations. - Roles and their secrets automatically are grouped and show up in agenix secrets.nix - Machines and their service configs may now query the properties of all machines. - Machine configuration and secrets are now competely isolated into each machine's directory. - Safety checks to ensure no mixing of luks unlocking secrets and hosts with primary ones. - SSH pubkeys no longer centrally stored but instead per machine where the private key lies for better cleanup.
45 lines
1.0 KiB
Nix
45 lines
1.0 KiB
Nix
{ config, lib, ... }:
|
|
|
|
let
|
|
machines = config.machines;
|
|
|
|
sshkeys = keyType: lib.foldl (l: cfg: l ++ cfg.${keyType}) [ ] (builtins.attrValues machines.hosts);
|
|
in
|
|
{
|
|
options.machines.ssh = {
|
|
userKeys = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
description = ''
|
|
List of user keys aggregated from all machines.
|
|
'';
|
|
};
|
|
|
|
deployKeys = lib.mkOption {
|
|
default = [ ];
|
|
type = lib.types.listOf lib.types.str;
|
|
description = ''
|
|
List of deploy keys aggregated from all machines.
|
|
'';
|
|
};
|
|
|
|
hostKeysByRole = lib.mkOption {
|
|
type = lib.types.attrsOf (lib.types.listOf lib.types.str);
|
|
description = ''
|
|
Machine host keys divided into their roles.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = {
|
|
machines.ssh.userKeys = sshkeys "userKeys";
|
|
machines.ssh.deployKeys = sshkeys "deployKeys";
|
|
|
|
machines.ssh.hostKeysByRole = lib.mapAttrs
|
|
(role: hosts:
|
|
builtins.map
|
|
(host: machines.hosts.${host}.hostKey)
|
|
hosts)
|
|
machines.roles;
|
|
};
|
|
}
|