Reorganize secrets and ssh keys

The agenix tools needs to read the secrets from a standalone file, but we also need the same information for the SSH keys.
2023-09-04 21:36:31 +02:00
parent 900de39e2f
commit 0a5f9b55f5
11 changed files with 87 additions and 26 deletions
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -0,0 +1,13 @@
+let
+  keys = import ../keys.nix;
+  adminsKeys = builtins.attrValues keys.admins;
+  hut = [ keys.hosts.hut ] ++ adminsKeys;
+  # Only expose ceph keys to safe nodes and admins
+  ceph = keys.hostGroup.safe ++ adminsKeys;
+in
+{
+  "ovni-token.age".publicKeys = hut;
+  "nosv-token.age".publicKeys = hut;
+
+  "ceph-user.age".publicKeys = ceph;
+}