let keys = import common/ssh-keys.nix; commonKeys = { # WARNING: `keys.users.*` are *lists*, so you need concatenate them, don't put them into lists! # Otherwise, agenix will be confused! global = keys.users.raito; lix = keys.users.hexchen ++ keys.users.jade; floral = keys.users.delroth; }; secrets = with keys; { floral = { hydra-postgres-key = [ machines.build-coord ]; hydra-s3-credentials = [ machines.build-coord ]; hydra-signing-priv = [ machines.build-coord ]; hydra-ssh-key-priv = [ machines.build-coord ]; netbox-environment = [ machines.meta01 ]; mimir-environment = [ machines.meta01 ]; mimir-webhook-url = [ machines.meta01 ]; grafana-oauth-secret = [ machines.meta01 ]; loki-environment = [ machines.meta01 ]; gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ]; pyroscope-secrets = [ machines.meta01 ]; tempo-environment = [ machines.meta01 ]; buildbot-worker-password = [ machines.buildbot ]; buildbot-oauth-secret = [ machines.buildbot ]; buildbot-workers = [ machines.buildbot ]; # Private SSH key to Gerrit # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos buildbot-service-key = [ machines.buildbot ]; # Signing key for Buildbot's specific cache buildbot-signing-key = [ machines.buildbot ]; buildbot-remote-builder-key = [ machines.buildbot ]; # These are the same password, but nginx wants it in htpasswd format metrics-push-htpasswd = [ machines.meta01 ]; # Yes, even Lix machines are included in this monitoring infrastructure. metrics-push-password = builtins.attrValues machines; ows-deploy-key = [ machines.gerrit01 ]; s3-channel-staging-keys = [ machines.gerrit01 ]; s3-channel-keys = [ machines.gerrit01 ]; postgres-ca-priv = [ machines.bagel-box ]; postgres-tls-priv = [ machines.bagel-box ]; rabbitmq-password = [ machines.bagel-box ]; gerrit-event-listener-ssh-key = [ machines.bagel-box ]; newsletter-secrets = [ machines.public01 ]; s3-revproxy-api-keys = [ machines.public01 ]; stateless-uptime-kuma-password = [ machines.public01 ]; }; lix = { buildbot-worker-password = [ machines.buildbot-lix ]; buildbot-oauth-secret = [ machines.buildbot-lix ]; buildbot-workers = [ machines.buildbot-lix ]; # Private SSH key to Gerrit # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos buildbot-service-key = [ machines.buildbot-lix ]; # Signing key for Buildbot's specific cache buildbot-signing-key = [ machines.buildbot-lix ]; buildbot-remote-builder-key = [ machines.buildbot-lix ]; }; }; mkSecretListFor = tenant: map (secretName: { name = "secrets/${tenant}/${secretName}.age"; value.publicKeys = secrets.${tenant}."${secretName}" ++ commonKeys.global ++ commonKeys.${tenant}; }) (builtins.attrNames secrets.${tenant}); in builtins.listToAttrs ( (mkSecretListFor "floral") ++ (mkSecretListFor "lix") )