refactor(lib): move few dynamic secrets utils to lib

zakuciael · Aug 25, 2024 · 4baafe8 · 4baafe8
1 parent 26fa245
commit 4baafe8
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 16 deletions.
diff --git a/configuration.nix b/configuration.nix
@@ -132,7 +132,7 @@ with lib.my; {
             lib.concatStringsSep " "
             (
               builtins.map
-              (domain: "${domain}=${config.sops.placeholder."${base}/${domain}"}")
+              (entry: "${entry}=${utils.mkSecretPlaceholder config [base entry]}")
               (builtins.attrNames secrets)
             )
           }

diff --git a/hosts/laptop/secrets.yaml b/hosts/laptop/secrets.yaml
@@ -4,7 +4,7 @@ nix:
 users:
     zakuciael:
         password: ENC[AES256_GCM,data:WjOX2hCNy9Ca8We+Phbv7bmKNJGwtTCzk2s4FK8Es7GX28S37PzfAQr+EHH9u5EEeVZNJwY3LgpdQpFwy/lco09LbmMgwjEXsA==,iv:0BoaxSJWaCZ2Ux6OsbLkyJFeg2Cju7Gxfxkz7z8yF+o=,tag:FEzVnkLlkgBpP6kmEVBvFQ==,type:str]
-        u2f_keys: ENC[AES256_GCM,data:FDDL1ciGEmtuzLV0V4kDf3zrIPXtO/oGUI3n6QnSKgmQi2NCcoSroddrlRJDnfBZJyeUdGSCmiP/5umAcq2f3eX30tLP2xzb2ZuhUF1iEhXzG/31R8v15DTpEQOiwzkc0rhtzTDdvpE/H53hWr5iG+0rncrgT4getIthumdW67j2VDDrqyjepwUX0ekAfV3123nwBf2+qygzux0PY+tt4782f9SVpe+dfq7N0jrG6lJawQkD/ChvPw87Jtan3bRM9I5g,iv:uip4/DcM8SjXn14K0CFP2ZSlzXj2po5Yoq88ap7QHYI=,tag:LaIvGfqfLY7kgkeY8cthRw==,type:str]
+        u2f_keys: ENC[AES256_GCM,data:QZLwWTSgwdlWZk/OWJGmTLcMSIZpLJvGlvtPJvkbpiezVBf6YGJ81YdAbHEgirnzHlTxR0Cb3S6MoG6SY36/U62Kf9eifk1U+HUWb/6MGRXrL9wSgvaLp4fKqxynnuXdki/FpZoNOGKId85UNhBbmE3ae8gFfm1gNSmWMl9teHcFCfYqn0lyL99hvzpCD5dvckjo1GrB+x0zWxZ8CLVOBBaCBuZaZxAVIC2Z3qfVz82OGh4Zx/ec+NtnyhfQ7PDMlIv7d7qaY5/RQHgs,iv:Fydf8yV7iUEyKflmkb3P6hVch5At4jFEdWFz60GGCgs=,tag:w31faJx1KIw3pwbLE/zD9A==,type:str]
 1password:
     ssh_agent:
         commit-signing-key:
@@ -66,8 +66,8 @@ sops:
             cXY0Q0c1c1RTeE55UmR4UXQ3WUF5REEKmWCz1p1a4XiLYEXjjQDf3AymsJarAREr
             7sEzo5NgODyowqylz4OYUKo++kSfmrbd9EKNQRWVZnxQ2eNDZak3Gg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-25T03:04:52Z"
-    mac: ENC[AES256_GCM,data:znj1C7ur/3vzqUu3dWGkO8QSWKOWp77yqQq5XOdJWZHPIIJ8cBxOivtfoa5/19nhcdYv/KR6f90KaM8v61aB3vwCQRej8hXJZvKn1odzMLPU/BABGGSwsdQohi6j6dou4j1hVkYa/IMnEL9Ik9Vjr3Yko54GZo+dP5gAmj1wJFc=,iv:xnWWmyCyZzlAATWNQp1xMYC/ED6RE8tn/98WYlOBBfI=,tag:Xf8Fjua62AnNaAxQxCLzBg==,type:str]
+    lastmodified: "2024-08-25T03:29:44Z"
+    mac: ENC[AES256_GCM,data:2nsiNy5UZz38EdjT71IygwO20L68SaxBofQ4URfxngHWjjFrEkt4ACEZJ6etgeA+MNcpXhty4qlRmbZweFDzrlSFhKcKzRcuhz54DdYhr3sFpESQPnik8LbM2GSCx7O0vpMYKeGC6YakfM2GijnRRZZe+9fscapiHuwCOwk+/1M=,iv:zgQZnMumZjGc4kokGxBHMm5lje4rMZP8H9fp3irM+i0=,tag:aUxytS2yM86UIImzYUTVvw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/hosts/pc/secrets.yaml b/hosts/pc/secrets.yaml
@@ -4,7 +4,7 @@ nix:
 users:
     zakuciael:
         password: ENC[AES256_GCM,data:WjOX2hCNy9Ca8We+Phbv7bmKNJGwtTCzk2s4FK8Es7GX28S37PzfAQr+EHH9u5EEeVZNJwY3LgpdQpFwy/lco09LbmMgwjEXsA==,iv:0BoaxSJWaCZ2Ux6OsbLkyJFeg2Cju7Gxfxkz7z8yF+o=,tag:FEzVnkLlkgBpP6kmEVBvFQ==,type:str]
-        u2f_keys: ENC[AES256_GCM,data:3sqceG5NKS/l0xcVuZaeVa8doNfTT8kuLysqmlT5m9wAjqKAESFik/EosNuOF4/Iupd3CBDAcYmgbpW3H+Aq7Wsi2yoADjlpsrD6qRjtH7zmg2/s2vDwmDVe+gAAlf6h5i6oWt3qfE9NoPk8z7F16kv3TovZbvZ9tdZWI/IML8R7wMMt5NCkEzI0WNcmzshIXBFR984gaK1J8gReSD+5S3COxP12BoejDPnsz6J8JUL4gizjxUVPy9P0o7wWcZ2lZBE5,iv:uqXdIsdaXaB9L152Xp51VKDo5uWpHsS8QbbG+Vii+80=,tag:ufuCBXhVptKXKKCOcP6AeA==,type:str]
+        u2f_keys: ENC[AES256_GCM,data:n4vkXl7kM+XHxln9N4fNThZcMqmOJWdaBDeVdvQZc0UCunLCBjaeA3Pi4CT7VjFA03ZqVkvI2MBRbNdGp1ziA1tpoYbYhcYxB4q3mfgv5kpiQZtutmxwx06TGu0krjA0gQPBmZQza80CcpMBhTBGLsfscjory50EpnMJYnerIuZzJ9BOd5FmBHt1lbVefOERE70JfczS27AmWU5W7/1Pn6kMCH0bwJP6+mlh9ImL72bHUOOtco0u3W4j4q58+ok+GdPfq+V+ckXin4xI,iv:yzLIxSoCykfSZqE0ZD2/drMM95BLf//bjmUD39S2TDw=,tag:VlRPthHk4Dmicy6oYMYhAw==,type:str]
 1password:
     ssh_agent:
         commit-signing-key:
@@ -66,8 +66,8 @@ sops:
             cXY0Q0c1c1RTeE55UmR4UXQ3WUF5REEKmWCz1p1a4XiLYEXjjQDf3AymsJarAREr
             7sEzo5NgODyowqylz4OYUKo++kSfmrbd9EKNQRWVZnxQ2eNDZak3Gg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-25T03:05:15Z"
-    mac: ENC[AES256_GCM,data:c+OEK2AdcLRY7obsrJPNiSO7Zc9Dtws3ZLeRevf08fQOmg8wFB+eWabKOIGqD+/jbpzb0jsqUmq+gCK1srK/ELXUlCnOmJW2boZla14szluiEGk2pYYwPgKuqBf0SwRVo7E0/9q3c4r9DFPzSlOV7xhc4Ri9+8NGdyxC6OJchtk=,iv:SQSnm6jFQ8IXrZK6S3ZN2W+qJz9E1Rtmh6sZ5TE0UII=,tag:/TRikiIzGEZ2gt9OAtl49Q==,type:str]
+    lastmodified: "2024-08-25T03:30:14Z"
+    mac: ENC[AES256_GCM,data:fr/M1oTO0L4J+YOfd/JJ6VkyDMpdSUHyJy5P+Uptd3xtOdVsfMWEpbc7me9uecSFsyC0zCAPnLgErz3wYgkTcaaOZOBCpc4bcv3t+YZGGe8g2cioLciqolBzN1JqOmx978o5xW0dPG/6iomVfbJotEPCs4aKLFSSm7p0n5ZAo+Y=,iv:lWaPope76J67HQiYLxjX4E8smqw9A9QnOvjlJgzazWg=,tag:D87bHr20mPZsonb1C7RcuQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/lib/utils.nix b/lib/utils.nix
@@ -62,6 +62,15 @@ in rec {
   in
     secrets;
 
+  mkSecretName = path:
+    concatStringsSep "/" (builtins.map (v: removeSuffix "/" v) path);
+
+  mkSecretPlaceholder = config: path:
+    config.sops.placeholder."${mkSecretName path}";
+
+  mkSecretPath = config: path:
+    config.sops.secrets."${mkSecretName path}".path;
+
   findLayoutConfig = with lib;
     config: predicate: let
       default = {

diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix
@@ -13,12 +13,6 @@ with lib.my; let
   secrets = utils.readSecrets {inherit config base;};
 
   mkKeyValue = key: value: "${key} ${value}";
-  mkSecretName = path:
-    concatStringsSep "/" (builtins.map (v: removeSuffix "/" v) path);
-  mkSecretPlaceholder = path:
-    config.sops.placeholder."${mkSecretName path}";
-  mkSecretPath = path:
-    config.sops.secrets."${mkSecretName path}".path;
   mkSecretSettings = secret:
     if hasSuffix "/public_key" secret
     then {
@@ -30,7 +24,7 @@ with lib.my; let
   mkPublicKeySettings = host:
     if (hasAttrByPath [host "public_key"] secrets)
     then {
-      IdentityFile = mkSecretPath [base host "public_key"];
+      IdentityFile = utils.mkSecretPath config [base host "public_key"];
       IdentitiesOnly = "yes";
     }
     else {};
@@ -43,7 +37,7 @@ with lib.my; let
           builtins.map
           (v: {
             name = v;
-            value = mkSecretPlaceholder [base host "settings" v];
+            value = utils.mkSecretPlaceholder config [base host "settings" v];
           })
           (builtins.attrNames (attrByPath [host "settings"] {} secrets))
         )
@@ -52,7 +46,7 @@ with lib.my; let
     settings // (mkPublicKeySettings host);
 
   mkHost = host: settings: ''
-    Host ${mkSecretPlaceholder [base host "host"]}
+    Host ${utils.mkSecretPlaceholder config [base host "host"]}
     ${utils.indentLines "  " (concatLines (builtins.map (v: mkKeyValue v.name v.value) (attrsToList settings)))}'';
 in {
   options.modules.services.ssh = with types; {