infrastructure/lib/keys/default.nix

# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2

{ meta, lib }:
let
  inherit (lib.extra) setDefault unique;

  getAttr = lib.flip builtins.getAttr;
in
rec {
  _memberKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.organization.members;
  _builderKeys = builtins.mapAttrs (_: v: v.builderKeys) meta.organization.members;
  _nodeKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.nodes;

  # Get keys of the users
  getMemberKeys = name: builtins.concatLists (builtins.map (getAttr _memberKeys) name);

  # Get builder keys of the users
  getBuilderKeys = getAttr _builderKeys;

  # Get keys of the ssh server
  getNodeKeys = name: builtins.concatLists (builtins.map (getAttr _nodeKeys) name);

  # List of keys for the root group
  rootKeys = getMemberKeys meta.organization.groups.root;

  # All admins for a node
  getNodeAdmins = node: meta.organization.groups.root ++ meta.nodes.${node}.admins;

  # All keys needed for secret encryption
  getSecretKeys = node: unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);

  # List of keys for all machines wide secrets
  machineKeys = rootKeys ++ (getNodeKeys (builtins.attrNames meta.nodes));

  mkSecrets = nodes: setDefault { publicKeys = unique (builtins.concatMap getSecretKeys nodes); };

  machineKeysBySystem =
    system:
    rootKeys
    ++ (getNodeKeys (
      builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == system) meta.nodes)
    ));
}