add update-vault-policies command
This commit is contained in:
parent
1fa594fab9
commit
4e5bec5588
|
@ -6,10 +6,7 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
font.name = "Comic Code";
|
font.name = "Comic Code";
|
||||||
settings = {
|
settings = {
|
||||||
font_size =
|
font_size = 20;
|
||||||
if nixosConfig.networking.hostName == "tablet"
|
|
||||||
then 12
|
|
||||||
else 20;
|
|
||||||
bold_font = "auto";
|
bold_font = "auto";
|
||||||
italic_font = "auto";
|
italic_font = "auto";
|
||||||
bold_italic_font = "auto";
|
bold_italic_font = "auto";
|
||||||
|
|
71
outputs.nix
71
outputs.nix
|
@ -4,6 +4,7 @@
|
||||||
|
|
||||||
inherit (lib.attrsets) mergeAttrsList recursiveUpdate;
|
inherit (lib.attrsets) mergeAttrsList recursiveUpdate;
|
||||||
inherit (lib.lists) foldl' forEach filter;
|
inherit (lib.lists) foldl' forEach filter;
|
||||||
|
inherit (lib.strings) optionalString;
|
||||||
|
|
||||||
hosts = import ./hosts inputs;
|
hosts = import ./hosts inputs;
|
||||||
in
|
in
|
||||||
|
@ -143,31 +144,77 @@ in
|
||||||
secretsLib.genVaultPolicy secretsConfig "${systemName}-container-${containerName}";
|
secretsLib.genVaultPolicy secretsConfig "${systemName}-container-${containerName}";
|
||||||
|
|
||||||
# All machines/containers with secrets.nix
|
# All machines/containers with secrets.nix
|
||||||
machines = rec {
|
machines = let
|
||||||
"hetzner-arm" = {
|
doesHaveHostSecrets = machineName: let
|
||||||
containers = ["storage" "music" "quassel" "social" "mail" "postgresql" "piped-fi" "forgejo" "caldav"];
|
hostConfig = self.nixosConfigurations.${machineName}.config;
|
||||||
|
secretsConfig = hostConfig.services.secrets;
|
||||||
|
in
|
||||||
|
secretsConfig.enable && secretsConfig.vaultLogin.enable;
|
||||||
|
|
||||||
|
containersForMachine = machineName: let
|
||||||
|
hostConfig = self.nixosConfigurations.${machineName}.config;
|
||||||
|
in
|
||||||
|
lib.filter (containerName: let
|
||||||
|
containerConfig = hostConfig.containers.${containerName}.config;
|
||||||
|
secretsConfig = containerConfig.services.secrets;
|
||||||
|
in
|
||||||
|
secretsConfig.enable && secretsConfig.vaultLogin.enable) (builtins.attrNames hostConfig.containers);
|
||||||
|
|
||||||
|
configForMachine = machineName: {
|
||||||
|
hasHostSecrets = doesHaveHostSecrets machineName;
|
||||||
|
containers = containersForMachine machineName;
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
"hetzner-arm" =
|
||||||
|
configForMachine "hetzner-arm"
|
||||||
|
// {
|
||||||
sshAddress = "hetzner-arm.servers.genderfucked.monster";
|
sshAddress = "hetzner-arm.servers.genderfucked.monster";
|
||||||
};
|
};
|
||||||
"vault" = {
|
"vault" =
|
||||||
|
configForMachine "vault"
|
||||||
|
// {
|
||||||
|
hasHostSecrets = doesHaveHostSecrets "vault";
|
||||||
sshAddress = "vault.servers.genderfucked.monster";
|
sshAddress = "vault.servers.genderfucked.monster";
|
||||||
};
|
};
|
||||||
"raspberry" = {
|
#"raspberry" = {
|
||||||
containers = ["piped-uk"];
|
# containers = ["piped-uk"];
|
||||||
sshAddress = "raspberry.servers.genderfucked.monster";
|
# sshAddress = "raspberry.servers.genderfucked.monster";
|
||||||
};
|
#};
|
||||||
"lappy-t495" = {};
|
"lappy-t495" = configForMachine "lappy-t495";
|
||||||
"tablet" = {};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
machinesWithHostSecrets = filter (
|
machinesWithHostSecrets = filter (
|
||||||
machine: (machines.${machine}.hasHostSecrets or true)
|
machine: (machines.${machine}.hasHostSecrets)
|
||||||
) (builtins.attrNames machines);
|
) (builtins.attrNames machines);
|
||||||
|
|
||||||
machinesWithContainers = filter (
|
machinesWithContainers = filter (
|
||||||
machine: machines.${machine} ? "containers"
|
machine: (machines.${machine}.containers or []) != []
|
||||||
) (builtins.attrNames machines);
|
) (builtins.attrNames machines);
|
||||||
in {
|
in {
|
||||||
packages = mergeAttrsList [
|
packages = mergeAttrsList [
|
||||||
|
{
|
||||||
|
"update-vault-policies" = pkgs.writeShellScriptBin "update-vault-policies" ''
|
||||||
|
${lib.concatStringsSep "\n" (map (hostName: let
|
||||||
|
machineContainers = machines.${hostName}.containers;
|
||||||
|
in ''
|
||||||
|
echo "Deploying policy for ${hostName}"
|
||||||
|
vault policy write ${hostName} ${self.packages.${system}."vault-policy-${hostName}"}
|
||||||
|
|
||||||
|
${lib.concatStringsSep "\n" (map (containerName: let
|
||||||
|
policyName = "${hostName}-container-${containerName}";
|
||||||
|
in ''
|
||||||
|
echo "Deploying policy for ${policyName}"
|
||||||
|
vault policy write ${policyName} ${self.packages.${system}."vault-policy-${policyName}"}
|
||||||
|
echo
|
||||||
|
'')
|
||||||
|
machineContainers)}
|
||||||
|
|
||||||
|
echo
|
||||||
|
'')
|
||||||
|
machinesWithHostSecrets)}
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
|
||||||
(mergeAttrsList (
|
(mergeAttrsList (
|
||||||
forEach machinesWithHostSecrets (machineName: {
|
forEach machinesWithHostSecrets (machineName: {
|
||||||
"secrets-init-${machineName}" = secretsInitScriptForSystem machineName;
|
"secrets-init-${machineName}" = secretsInitScriptForSystem machineName;
|
||||||
|
|
|
@ -14,7 +14,6 @@
|
||||||
if
|
if
|
||||||
builtins.elem currentHostname [
|
builtins.elem currentHostname [
|
||||||
"lappy-t495"
|
"lappy-t495"
|
||||||
"tablet"
|
|
||||||
]
|
]
|
||||||
then usbSSHKeyFile
|
then usbSSHKeyFile
|
||||||
else if builtins.elem currentHostname ["wsl"]
|
else if builtins.elem currentHostname ["wsl"]
|
||||||
|
|
Loading…
Reference in a new issue