-{ pkgs, lib, config, ... }:
+{ inputs, lib, ... }:
{
-gnupg.keys = {
-"Julien Moutinho <julm@sourcephile.fr>" = {
- uid = "Julien Moutinho <julm@sourcephile.fr>";
- algo = "rsa4096";
- expire = "3y";
- usage = ["cert" "sign"];
- passPath = "members/julm/gpg/password";
- subKeys = [
- { algo = "rsa4096"; expire = "3y"; usage = ["sign"]; }
- { algo = "rsa4096"; expire = "3y"; usage = ["encrypt"]; }
- { algo = "rsa4096"; expire = "3y"; usage = ["auth"]; }
- ];
- backupRecipients = [""];
-};
-"Julien Moutinho <julm@mermet>" = {
- uid = "Julien Moutinho <julm@mermet>";
- algo = "rsa4096";
- expire = "3y";
- usage = ["cert" "sign"];
- passPath = "members/julm/gpg/password";
- subKeys = [
- { algo = "rsa4096"; expire = "3y"; usage = ["sign"]; }
- { algo = "rsa4096"; expire = "3y"; usage = ["encrypt"]; }
- { algo = "rsa4096"; expire = "3y"; usage = ["auth"]; }
- ];
- backupRecipients = [""];
-};
-} // lib.listToAttrs (builtins.map (srv: lib.nameValuePair "root@${srv}.sourcephile.fr" {
- uid = "root@${srv}.sourcephile.fr";
- algo = "rsa4096";
- expire = "0";
- usage = ["cert" "sign"];
- passPath = "servers/${srv}/root/key.pass";
- subKeys = [
- { algo = "rsa4096"; expire = "0"; usage = ["encrypt"]; }
- ];
- backupRecipients = [""];
- # This encrypt subkey is put into a root/key.gpg, and then on the Nix stores,
- # to decrypt servers."${srv}".config.security.pass.secrets .
- # Its passphrase in root/key.pass is decrypted and sent by ssh before each call to nix copy
- # by adding to servers."${srv}".config.install.nixos-ssh.script .
- postRun = ''
- info " generate $PASSWORD_STORE_DIR/servers/${srv}/root/key.gpg"
- test -s "$PASSWORD_STORE_DIR/servers/${srv}/root/key.gpg" || {
- ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback --export-secret-keys --armor \
- --passphrase-fd 3 3< <(${pkgs.gnupg}/bin/gpg --decrypt "$PASSWORD_STORE_DIR/servers/${srv}/root/key.pass.gpg") \
- --export-options export-minimal @root@${srv}.sourcephile.fr |
- ${pkgs.gnupg}/bin/gpg --symmetric --batch --pinentry-mode loopback \
- --passphrase-fd 3 3< <(${pkgs.gnupg}/bin/gpg --decrypt "$PASSWORD_STORE_DIR/servers/${srv}/root/key.pass.gpg") \
- --output "$PASSWORD_STORE_DIR/servers/${srv}/root/key.gpg"
- }
- '';
-}) (builtins.attrNames (import ../servers.nix)));
+ gnupg.keys = {
+ "Julien Moutinho <julm@sourcephile.fr>" = {
+ uid = "Julien Moutinho <julm@sourcephile.fr>";
+ algo = "rsa4096";
+ expire = "3y";
+ usage = [ "cert" "sign" ];
+ passPath = "members/julm/gpg/password";
+ subKeys = [
+ { algo = "rsa4096"; expire = "3y"; usage = [ "sign" ]; }
+ { algo = "rsa4096"; expire = "3y"; usage = [ "encrypt" ]; }
+ { algo = "rsa4096"; expire = "3y"; usage = [ "auth" ]; }
+ ];
+ backupRecipients = [ "" ];
+ };
+ "Julien Moutinho <julm@mermet>" = {
+ uid = "Julien Moutinho <julm@mermet>";
+ algo = "rsa4096";
+ expire = "3y";
+ usage = [ "cert" "sign" ];
+ passPath = "members/julm/gpg/password";
+ subKeys = [
+ { algo = "rsa4096"; expire = "3y"; usage = [ "sign" ]; }
+ { algo = "rsa4096"; expire = "3y"; usage = [ "encrypt" ]; }
+ { algo = "rsa4096"; expire = "3y"; usage = [ "auth" ]; }
+ ];
+ backupRecipients = [ "" ];
+ };
+ } // lib.listToAttrs (
+ let domain = "sourcephile.fr"; in
+ builtins.map
+ (host: lib.nameValuePair "root@${host}.${domain}" {
+ uid = "root@${host}.${domain}";
+ algo = "rsa4096";
+ expire = "0";
+ usage = [ "cert" "sign" ];
+ passPath = "hosts/${host}/gnupg/root";
+ subKeys = [
+ { algo = "rsa4096"; expire = "0"; usage = [ "encrypt" ]; }
+ ];
+ backupRecipients = [ "" ];
+ })
+ (builtins.attrNames inputs.self.nixosConfigurations)
+ );
}
sourcephile / git / sourcephile-nix.git / blobdiff