forked from nix-community/infra
-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsops.nix
51 lines (48 loc) · 1.3 KB
/
sops.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# https://github.com/TUM-DSE/doctor-cluster-config/blob/8c11c117e66af1cc205eb2094ab94e8a3317ff2e/sops.yaml.nix
let
keys = builtins.fromJSON (builtins.readFile ./sops.json);
admins = builtins.attrValues keys.admins;
mapAttrsToList = f: attrs: map (name: f name attrs.${name}) (builtins.attrNames attrs);
renderPermissions =
attrs:
mapAttrsToList (path: keys: {
path_regex = "^${path}$";
key_groups = [
{
age = keys ++ admins;
}
];
}) attrs;
# This is the list of permissions per file. The admins have permissions for all files.
sopsPermissions =
{
"secrets.yaml" = [ ];
"terraform/secrets.yaml" = [ ];
}
// builtins.mapAttrs (_: value: (map (x: keys.hosts.${x}) value)) {
"modules/secrets/backup.yaml" = [
"build02"
"build03"
"web02"
];
"modules/secrets/community-builder.yaml" = [
"build01"
"build05"
"darwin01"
];
"modules/secrets/hercules-ci.yaml" = [
"build03"
"build04"
"darwin02"
];
}
// builtins.listToAttrs (
mapAttrsToList (hostname: key: {
name = "hosts/${hostname}/secrets.yaml";
value = [ key ];
}) keys.hosts
);
in
{
creation_rules = renderPermissions sopsPermissions;
}