infrastructure/keys/default.nix

# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2

let
  _sources = import ../npins;

  inherit (import _sources.nixos-unstable { }) lib;

  meta = import ../meta lib;

  inherit (import ../lib/nix-lib) setDefault unique;

  getAttr = lib.flip builtins.getAttr;

in

rec {
  _memberKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.organization.members;
  _builderKeys = builtins.mapAttrs (_: v: v.builderKeys) meta.organization.members;
  _nodeKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.nodes;

  # Get keys of the users
  getMemberKeys = name: builtins.concatLists (builtins.map (getAttr _memberKeys) name);

  # Get builder keys of the users
  getBuilderKeys = getAttr _builderKeys;

  # Get keys of the ssh server
  getNodeKeys = name: builtins.concatLists (builtins.map (getAttr _nodeKeys) name);

  # List of keys for the root group
  rootKeys = getMemberKeys meta.organization.groups.root;

  # All keys that can access a node
  getNodeKeys' =
    node:
    let
      names = [ node ] ++
      meta.nodes.${node}.admins
      ++ (builtins.concatMap (g: meta.organization.groups.${g}) meta.nodes.${node}.adminGroups);
    in
    unique (getMemberKeys names ++ getNodeKeys [ node ]);

  # List of keys for all machines wide secrets
  machineKeys = rootKeys ++ (getNodeKeys (builtins.attrNames meta.nodes));

  mkSecrets = nodes: setDefault { publicKeys = unique (builtins.concatMap getNodeKeys' nodes); };

  machineKeysBySystem = system:
    rootKeys
    ++ (getNodeKeys (builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == system) meta.nodes)));
}
chore: Add license and copyright information Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu> Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu> Acked-by: Maurice Debray <maurice.debray@dgnum.eu> Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu> Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum. Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel. 2024-12-12 14:41:43 +01:00			`# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>`
			`#`
			`# SPDX-License-Identifier: EUPL-1.2`

feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 17:04:30 +02:00			`let`
			`_sources = import ../npins;`

chore(npins): Remove nixpkgs, use nixos-unstable instead 2025-01-16 10:43:57 +01:00			`inherit (import _sources.nixos-unstable { }) lib;`
fix(keys): Add nixosMachineKeys and rekey This is needed for secret encryption since netconf and liminix machines don't have an ssh key for now. 2024-12-22 11:47:04 +01:00
			`meta = import ../meta lib;`
feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 17:04:30 +02:00
fix(keys/getKeys): don't fail if no key is specified 2025-01-24 16:34:42 +01:00			`inherit (import ../lib/nix-lib) setDefault unique;`
feat(keys): Move keys to meta chore: revert meta stuff 2024-12-05 12:37:51 +01:00
			`getAttr = lib.flip builtins.getAttr;`

feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 17:04:30 +02:00			`in`

			`rec {`
feat(keys): Move keys to meta chore: revert meta stuff 2024-12-05 12:37:51 +01:00			`_memberKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.organization.members;`
			`_builderKeys = builtins.mapAttrs (_: v: v.builderKeys) meta.organization.members;`
			`_nodeKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.nodes;`
feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 17:04:30 +02:00
feat(keys): Move keys to meta chore: revert meta stuff 2024-12-05 12:37:51 +01:00			`# Get keys of the users`
			`getMemberKeys = name: builtins.concatLists (builtins.map (getAttr _memberKeys) name);`
feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 17:04:30 +02:00
feat(keys): Move keys to meta chore: revert meta stuff 2024-12-05 12:37:51 +01:00			`# Get builder keys of the users`
			`getBuilderKeys = getAttr _builderKeys;`
feat(keys): add builder-specific keys For remote building, keys are usually isolated from the main keys. This enables another list of keys to add. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu> 2025-02-06 01:23:32 +01:00
feat(keys): Move keys to meta chore: revert meta stuff 2024-12-05 12:37:51 +01:00			`# Get keys of the ssh server`
			`getNodeKeys = name: builtins.concatLists (builtins.map (getAttr _nodeKeys) name);`
feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 17:04:30 +02:00
feat(keys): Move keys to meta chore: revert meta stuff 2024-12-05 12:37:51 +01:00			`# List of keys for the root group`
			`rootKeys = getMemberKeys meta.organization.groups.root;`
feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 17:04:30 +02:00
feat(keys): Move keys to meta chore: revert meta stuff 2024-12-05 12:37:51 +01:00			`# All keys that can access a node`
feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 17:04:30 +02:00			`getNodeKeys' =`
			`node:`
			`let`
feat(keys): Move keys to meta chore: revert meta stuff 2024-12-05 12:37:51 +01:00			`names = [ node ] ++`
			`meta.nodes.${node}.admins`
			`++ (builtins.concatMap (g: meta.organization.groups.${g}) meta.nodes.${node}.adminGroups);`
feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 17:04:30 +02:00			`in`
feat(keys): Move keys to meta chore: revert meta stuff 2024-12-05 12:37:51 +01:00			`unique (getMemberKeys names ++ getNodeKeys [ node ]);`
feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 17:04:30 +02:00
feat(keys): Move keys to meta chore: revert meta stuff 2024-12-05 12:37:51 +01:00			`# List of keys for all machines wide secrets`
			`machineKeys = rootKeys ++ (getNodeKeys (builtins.attrNames meta.nodes));`
feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 17:04:30 +02:00
feat(keys): Move keys to meta chore: revert meta stuff 2024-12-05 12:37:51 +01:00			`mkSecrets = nodes: setDefault { publicKeys = unique (builtins.concatMap getNodeKeys' nodes); };`
fix(keys): Add nixosMachineKeys and rekey This is needed for secret encryption since netconf and liminix machines don't have an ssh key for now. 2024-12-22 11:47:04 +01:00
feat(keys): Move keys to meta chore: revert meta stuff 2024-12-05 12:37:51 +01:00			`machineKeysBySystem = system:`
fix(keys): Add nixosMachineKeys and rekey This is needed for secret encryption since netconf and liminix machines don't have an ssh key for now. 2024-12-22 11:47:04 +01:00			`rootKeys`
feat(keys): Move keys to meta chore: revert meta stuff 2024-12-05 12:37:51 +01:00			`++ (getNodeKeys (builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == system) meta.nodes)));`
feat(infra): Internalize nix-lib, and make keys management simpler 2024-10-09 17:04:30 +02:00			`}`