feat(secrets): Add a possibility to use extra keys for secret encryption

2025-03-08 23:01:17 +01:00 · 2025-03-08 23:01:17 +01:00 · 742ed8c182
commit 742ed8c182
parent ef0efe73ef
2 changed files with 21 additions and 2 deletions
--- a/lib/keys/default.nix
+++ b/lib/keys/default.nix
@ -14,12 +14,16 @@ in

 rec {
  _memberKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.organization.members;
+  _ageKeys = builtins.mapAttrs (_: v: v.ageSshKeys) meta.organization.members;
  _builderKeys = builtins.mapAttrs (_: v: v.builderKeys) meta.organization.members;
  _nodeKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.nodes;

  # Get keys of the users
  getMemberKeys = name: builtins.concatLists (builtins.map (getAttr _memberKeys) name);

+  # Get age-keys of the users
+  getAgeKeys = name: builtins.concatLists (builtins.map (getAttr _ageKeys) name);
+
  # Get builder keys of the users
  getBuilderKeys = getAttr _builderKeys;

@ -33,7 +37,7 @@ rec {
  getNodeAdmins = node: meta.organization.groups.root ++ meta.nodes.${node}.admins;

  # All keys needed for secret encryption
-  getSecretKeys = node: lib.unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);
+  getSecretKeys = node: lib.unique (getAgeKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);

  # List of keys for all machines wide secrets
  machineKeys = rootKeys ++ (getNodeKeys (builtins.attrNames meta.nodes));
--- a/meta/options.nix
+++ b/meta/options.nix
@ -73,7 +73,7 @@ in
      members = mkOption {
        type = attrsOf (
          submodule (
-            { name, ... }:
+            { name, config, ... }:
            {
              options = {
                name = mkOption {
@ -113,6 +113,18 @@ in
                  ];
                };

+                ageSshKeys = lib.mkOption {
+                  type = listOf singleLineStr;
+                  description = ''
+                    A list of verbatim OpenSSH public keys that should be used to encrypt the machine secrets
+                  '';
+                  defaultText = "The ssh keys used to access machines of the user (`organization.members.<name>.sshKeys`)";
+                  example = [
+                    "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host"
+                    "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"
+                  ];
+                };
+
                builderKeys = lib.mkOption {
                  type = listOf singleLineStr;
                  default = [ ];
@ -129,6 +141,9 @@ in
                  description = "Attribute sets to define vpn keys of the user";
                };
              };
+              config = {
+                ageSshKeys = config.sshKeys;
+              };
            }
          )
        );