nix-config/secrets/sops.yaml.nix at main · Program-Learning/nix-config · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# To update .sops.yaml:
# $ inv update-sops-files
let
  mapAttrsToList = f: attrs:
    map (name: f name attrs.${name}) (builtins.attrNames attrs);

  renderPermissions = (attrs: mapAttrsToList
    (path: keys: {
      path_regex = path;
      key_groups = [{
        age = keys ++ groups.admin;
      }];
    })
    attrs);

  # command to add a new age key for a new host
  # inv print-age-key --hosts "host1,host2"
  keys = builtins.fromJSON (builtins.readFile ./pubkeys.json);
  groups = with keys.users; {
    admin = [
      # admins may access all secrets
      DEC
    ];
    all = builtins.attrValues (keys.users // keys.machines);
  };

  # This is the list of permissions per file. The admin group has permissions
  # for all files. Amy.yml additionally can be decrytped by amy.
  # spec device use this
  sopsPermissions = builtins.listToAttrs (mapAttrsToList (hostname: key: { name = "sops/hosts/${hostname}.yml$"; value = [ key ]; }) keys.machines) //
    {
      # all devices use this
      "sops/modules/secrets.yml$" = groups.all;
    } //
    builtins.mapAttrs (name: value: (map (x: keys.machines.${x}) value)) {
      # spec device array use this
      "sops/modules/nfs/secrets.yml$" = [ "idols-ai" ];
      "sops/modules/k3s/secrets.yml$" = [ "idols-ai" ];
    };

in
{
  creation_rules = [
    # example:
    #{
    #  path_regex = "foobar.yaml$";
    #  key_groups = [
    #    {age = groups.admin ++ [
    #      "key3"
    #    ];}
    #  ];
    #}
  ] ++ (renderPermissions sopsPermissions);
}