From 34a3f9a0d6ab7f809c897b076206ac2e5b76f360 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 13 Apr 2023 16:37:42 +0000
Subject: [PATCH] modules: secrets: centralize agenix keys

If I intend on splitting the keys depending on which host needs to have
access to it, I should have a singular spot to manage the keys.
---
 keys/default.nix            | 39 +++++++++++++++++++++++++++++++++++++
 keys/hosts/porthos          |  1 +
 keys/users/ambroisie        |  1 +
 modules/secrets/secrets.nix | 13 ++-----------
 4 files changed, 43 insertions(+), 11 deletions(-)
 create mode 100644 keys/default.nix
 create mode 100644 keys/hosts/porthos
 create mode 100644 keys/users/ambroisie

diff --git a/keys/default.nix b/keys/default.nix
new file mode 100644
index 0000000..a538328
--- /dev/null
+++ b/keys/default.nix
@@ -0,0 +1,39 @@
+# Populate agenix keys from a central location
+let
+  inherit (builtins)
+    mapAttrs
+    readDir
+    readFile
+    stringLength
+    substring
+    ;
+
+  removeSuffix = suffix: str:
+    let
+      sufLen = stringLength suffix;
+      sLen = stringLength str;
+    in
+    if sufLen <= sLen && suffix == substring (sLen - sufLen) sufLen str then
+      substring 0 (sLen - sufLen) str
+    else
+      str;
+
+
+  readKeys = dir:
+    let
+      files = readDir dir;
+      readNoNewlines = f: removeSuffix "\n" (readFile f);
+      readKey = name: readNoNewlines (dir + "/${name}");
+    in
+    mapAttrs (n: _: readKey n) files;
+
+  hosts = readKeys ./hosts;
+  users = readKeys ./users;
+in
+{
+  inherit
+    hosts
+    users;
+
+  all = (builtins.attrValues hosts) ++ (builtins.attrValues users);
+}
diff --git a/keys/hosts/porthos b/keys/hosts/porthos
new file mode 100644
index 0000000..7156513
--- /dev/null
+++ b/keys/hosts/porthos
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGzznQ3LSmBYHx6fXthgMDiTcU5i/Nvj020SbmhzAFb root@porthos
diff --git a/keys/users/ambroisie b/keys/users/ambroisie
new file mode 100644
index 0000000..cf08a3c
--- /dev/null
+++ b/keys/users/ambroisie
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIVd6Oh08iUNb1vTULbxGpevnh++wxsWW9wqhaDryIq ambroisie@agenix
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index c4f1f61..4ccb886 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -1,16 +1,7 @@
 let
-  # FIXME: read them from directories
-  ambroisie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIVd6Oh08iUNb1vTULbxGpevnh++wxsWW9wqhaDryIq ambroisie@agenix";
-  users = [
-    ambroisie
-  ];
+  keys = import ../../keys;
 
-  porthos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGzznQ3LSmBYHx6fXthgMDiTcU5i/Nvj020SbmhzAFb root@porthos";
-  machines = [
-    porthos
-  ];
-
-  all = users ++ machines;
+  inherit (keys) all;
 in
 {
   "acme/dns-key.age".publicKeys = all;