add update-vault-policies command

2023-10-27 17:28:06 +01:00 · 2023-10-27 17:28:06 +01:00 · 4e5bec5588
parent 1fa594fab9
commit 4e5bec5588
3 changed files with 63 additions and 20 deletions
--- a/home/apps/kitty.nix
+++ b/home/apps/kitty.nix
@ -6,10 +6,7 @@
    enable = true;
    font.name = "Comic Code";
    settings = {
-      font_size =
-        if nixosConfig.networking.hostName == "tablet"
-        then 12
-        else 20;
+      font_size = 20;
      bold_font = "auto";
      italic_font = "auto";
      bold_italic_font = "auto";
--- a/outputs.nix
+++ b/outputs.nix
@ -4,6 +4,7 @@

  inherit (lib.attrsets) mergeAttrsList recursiveUpdate;
  inherit (lib.lists) foldl' forEach filter;
+  inherit (lib.strings) optionalString;

  hosts = import ./hosts inputs;
 in
@ -143,31 +144,77 @@ in
            secretsLib.genVaultPolicy secretsConfig "${systemName}-container-${containerName}";

          # All machines/containers with secrets.nix
-          machines = rec {
-            "hetzner-arm" = {
-              containers = ["storage" "music" "quassel" "social" "mail" "postgresql" "piped-fi" "forgejo" "caldav"];
-              sshAddress = "hetzner-arm.servers.genderfucked.monster";
+          machines = let
+            doesHaveHostSecrets = machineName: let
+              hostConfig = self.nixosConfigurations.${machineName}.config;
+              secretsConfig = hostConfig.services.secrets;
+            in
+              secretsConfig.enable && secretsConfig.vaultLogin.enable;
+
+            containersForMachine = machineName: let
+              hostConfig = self.nixosConfigurations.${machineName}.config;
+            in
+              lib.filter (containerName: let
+                containerConfig = hostConfig.containers.${containerName}.config;
+                secretsConfig = containerConfig.services.secrets;
+              in
+                secretsConfig.enable && secretsConfig.vaultLogin.enable) (builtins.attrNames hostConfig.containers);
+
+            configForMachine = machineName: {
+              hasHostSecrets = doesHaveHostSecrets machineName;
+              containers = containersForMachine machineName;
            };
-            "vault" = {
-              sshAddress = "vault.servers.genderfucked.monster";
-            };
-            "raspberry" = {
-              containers = ["piped-uk"];
-              sshAddress = "raspberry.servers.genderfucked.monster";
-            };
-            "lappy-t495" = {};
-            "tablet" = {};
+          in {
+            "hetzner-arm" =
+              configForMachine "hetzner-arm"
+              // {
+                sshAddress = "hetzner-arm.servers.genderfucked.monster";
+              };
+            "vault" =
+              configForMachine "vault"
+              // {
+                hasHostSecrets = doesHaveHostSecrets "vault";
+                sshAddress = "vault.servers.genderfucked.monster";
+              };
+            #"raspberry" = {
+            #  containers = ["piped-uk"];
+            #  sshAddress = "raspberry.servers.genderfucked.monster";
+            #};
+            "lappy-t495" = configForMachine "lappy-t495";
          };

          machinesWithHostSecrets = filter (
-            machine: (machines.${machine}.hasHostSecrets or true)
+            machine: (machines.${machine}.hasHostSecrets)
          ) (builtins.attrNames machines);

          machinesWithContainers = filter (
-            machine: machines.${machine} ? "containers"
+            machine: (machines.${machine}.containers or []) != []
          ) (builtins.attrNames machines);
        in {
          packages = mergeAttrsList [
+            {
+              "update-vault-policies" = pkgs.writeShellScriptBin "update-vault-policies" ''
+                ${lib.concatStringsSep "\n" (map (hostName: let
+                    machineContainers = machines.${hostName}.containers;
+                  in ''
+                    echo "Deploying policy for ${hostName}"
+                    vault policy write ${hostName} ${self.packages.${system}."vault-policy-${hostName}"}
+
+                    ${lib.concatStringsSep "\n" (map (containerName: let
+                        policyName = "${hostName}-container-${containerName}";
+                      in ''
+                        echo "Deploying policy for ${policyName}"
+                        vault policy write ${policyName} ${self.packages.${system}."vault-policy-${policyName}"}
+                        echo
+                      '')
+                      machineContainers)}
+
+                    echo
+                  '')
+                  machinesWithHostSecrets)}
+              '';
+            }
+
            (mergeAttrsList (
              forEach machinesWithHostSecrets (machineName: {
                "secrets-init-${machineName}" = secretsInitScriptForSystem machineName;
--- a/profiles/remoteBuilders.nix
+++ b/profiles/remoteBuilders.nix
@ -14,7 +14,6 @@
    if
      builtins.elem currentHostname [
        "lappy-t495"
-        "tablet"
      ]
    then usbSSHKeyFile
    else if builtins.elem currentHostname ["wsl"]