From 4e5bec5588556104e6d9120db51829c3bbf2bd27 Mon Sep 17 00:00:00 2001
From: chaos <chaos@owo.monster>
Date: Fri, 27 Oct 2023 17:28:06 +0100
Subject: [PATCH] add update-vault-policies command

---
 home/apps/kitty.nix         |  5 +--
 outputs.nix                 | 77 +++++++++++++++++++++++++++++--------
 profiles/remoteBuilders.nix |  1 -
 3 files changed, 63 insertions(+), 20 deletions(-)

diff --git a/home/apps/kitty.nix b/home/apps/kitty.nix
index fcf3d3f..22c6bee 100644
--- a/home/apps/kitty.nix
+++ b/home/apps/kitty.nix
@@ -6,10 +6,7 @@
     enable = true;
     font.name = "Comic Code";
     settings = {
-      font_size =
-        if nixosConfig.networking.hostName == "tablet"
-        then 12
-        else 20;
+      font_size = 20;
       bold_font = "auto";
       italic_font = "auto";
       bold_italic_font = "auto";
diff --git a/outputs.nix b/outputs.nix
index f806e07..5207613 100644
--- a/outputs.nix
+++ b/outputs.nix
@@ -4,6 +4,7 @@
 
   inherit (lib.attrsets) mergeAttrsList recursiveUpdate;
   inherit (lib.lists) foldl' forEach filter;
+  inherit (lib.strings) optionalString;
 
   hosts = import ./hosts inputs;
 in
@@ -143,31 +144,77 @@ in
             secretsLib.genVaultPolicy secretsConfig "${systemName}-container-${containerName}";
 
           # All machines/containers with secrets.nix
-          machines = rec {
-            "hetzner-arm" = {
-              containers = ["storage" "music" "quassel" "social" "mail" "postgresql" "piped-fi" "forgejo" "caldav"];
-              sshAddress = "hetzner-arm.servers.genderfucked.monster";
+          machines = let
+            doesHaveHostSecrets = machineName: let
+              hostConfig = self.nixosConfigurations.${machineName}.config;
+              secretsConfig = hostConfig.services.secrets;
+            in
+              secretsConfig.enable && secretsConfig.vaultLogin.enable;
+
+            containersForMachine = machineName: let
+              hostConfig = self.nixosConfigurations.${machineName}.config;
+            in
+              lib.filter (containerName: let
+                containerConfig = hostConfig.containers.${containerName}.config;
+                secretsConfig = containerConfig.services.secrets;
+              in
+                secretsConfig.enable && secretsConfig.vaultLogin.enable) (builtins.attrNames hostConfig.containers);
+
+            configForMachine = machineName: {
+              hasHostSecrets = doesHaveHostSecrets machineName;
+              containers = containersForMachine machineName;
             };
-            "vault" = {
-              sshAddress = "vault.servers.genderfucked.monster";
-            };
-            "raspberry" = {
-              containers = ["piped-uk"];
-              sshAddress = "raspberry.servers.genderfucked.monster";
-            };
-            "lappy-t495" = {};
-            "tablet" = {};
+          in {
+            "hetzner-arm" =
+              configForMachine "hetzner-arm"
+              // {
+                sshAddress = "hetzner-arm.servers.genderfucked.monster";
+              };
+            "vault" =
+              configForMachine "vault"
+              // {
+                hasHostSecrets = doesHaveHostSecrets "vault";
+                sshAddress = "vault.servers.genderfucked.monster";
+              };
+            #"raspberry" = {
+            #  containers = ["piped-uk"];
+            #  sshAddress = "raspberry.servers.genderfucked.monster";
+            #};
+            "lappy-t495" = configForMachine "lappy-t495";
           };
 
           machinesWithHostSecrets = filter (
-            machine: (machines.${machine}.hasHostSecrets or true)
+            machine: (machines.${machine}.hasHostSecrets)
           ) (builtins.attrNames machines);
 
           machinesWithContainers = filter (
-            machine: machines.${machine} ? "containers"
+            machine: (machines.${machine}.containers or []) != []
           ) (builtins.attrNames machines);
         in {
           packages = mergeAttrsList [
+            {
+              "update-vault-policies" = pkgs.writeShellScriptBin "update-vault-policies" ''
+                ${lib.concatStringsSep "\n" (map (hostName: let
+                    machineContainers = machines.${hostName}.containers;
+                  in ''
+                    echo "Deploying policy for ${hostName}"
+                    vault policy write ${hostName} ${self.packages.${system}."vault-policy-${hostName}"}
+
+                    ${lib.concatStringsSep "\n" (map (containerName: let
+                        policyName = "${hostName}-container-${containerName}";
+                      in ''
+                        echo "Deploying policy for ${policyName}"
+                        vault policy write ${policyName} ${self.packages.${system}."vault-policy-${policyName}"}
+                        echo
+                      '')
+                      machineContainers)}
+
+                    echo
+                  '')
+                  machinesWithHostSecrets)}
+              '';
+            }
+
             (mergeAttrsList (
               forEach machinesWithHostSecrets (machineName: {
                 "secrets-init-${machineName}" = secretsInitScriptForSystem machineName;
diff --git a/profiles/remoteBuilders.nix b/profiles/remoteBuilders.nix
index 34f823c..5141ec7 100644
--- a/profiles/remoteBuilders.nix
+++ b/profiles/remoteBuilders.nix
@@ -14,7 +14,6 @@
     if
       builtins.elem currentHostname [
         "lappy-t495"
-        "tablet"
       ]
     then usbSSHKeyFile
     else if builtins.elem currentHostname ["wsl"]