80 lines
3.2 KiB
Nix
80 lines
3.2 KiB
Nix
let
|
||
keys = import common/ssh-keys.nix;
|
||
|
||
commonKeys = {
|
||
# WARNING: `keys.users.*` are *lists*, so you need concatenate them, don't put them into lists!
|
||
# Otherwise, agenix will be confused!
|
||
global = keys.users.raito;
|
||
lix = keys.users.hexchen ++ keys.users.jade;
|
||
floral = keys.users.delroth;
|
||
};
|
||
|
||
secrets = with keys; {
|
||
floral = {
|
||
hydra-postgres-key = [ machines.build-coord ];
|
||
hydra-s3-credentials = [ machines.build-coord ];
|
||
hydra-signing-priv = [ machines.build-coord ];
|
||
hydra-ssh-key-priv = [ machines.build-coord ];
|
||
|
||
netbox-environment = [ machines.meta01 ];
|
||
mimir-environment = [ machines.meta01 ];
|
||
mimir-webhook-url = [ machines.meta01 ];
|
||
grafana-oauth-secret = [ machines.meta01 ];
|
||
loki-environment = [ machines.meta01 ];
|
||
gerrit-prometheus-bearer-token = [ machines.gerrit01 machines.meta01 ];
|
||
pyroscope-secrets = [ machines.meta01 ];
|
||
tempo-environment = [ machines.meta01 ];
|
||
|
||
buildbot-worker-password = [ machines.buildbot ];
|
||
buildbot-oauth-secret = [ machines.buildbot ];
|
||
buildbot-workers = [ machines.buildbot ];
|
||
# Private SSH key to Gerrit
|
||
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
|
||
buildbot-service-key = [ machines.buildbot ];
|
||
# Signing key for Buildbot's specific cache
|
||
buildbot-signing-key = [ machines.buildbot ];
|
||
buildbot-remote-builder-key = [ machines.buildbot ];
|
||
|
||
# These are the same password, but nginx wants it in htpasswd format
|
||
metrics-push-htpasswd = [ machines.meta01 ];
|
||
# Yes, even Lix machines are included in this monitoring infrastructure.
|
||
metrics-push-password = builtins.attrValues machines;
|
||
|
||
ows-deploy-key = [ machines.gerrit01 ];
|
||
s3-channel-staging-keys = [ machines.gerrit01 ];
|
||
s3-channel-keys = [ machines.gerrit01 ];
|
||
|
||
postgres-ca-priv = [ machines.bagel-box ];
|
||
postgres-tls-priv = [ machines.bagel-box ];
|
||
rabbitmq-password = [ machines.bagel-box ];
|
||
gerrit-event-listener-ssh-key = [ machines.bagel-box ];
|
||
|
||
newsletter-secrets = [ machines.public01 ];
|
||
s3-revproxy-api-keys = [ machines.public01 ];
|
||
stateless-uptime-kuma-password = [ machines.public01 ];
|
||
|
||
openbao-auth-token-bagel-box = [ machines.bagel-box ];
|
||
};
|
||
|
||
lix = {
|
||
buildbot-worker-password = [ machines.buildbot-lix ];
|
||
buildbot-oauth-secret = [ machines.buildbot-lix ];
|
||
buildbot-workers = [ machines.buildbot-lix ];
|
||
# Private SSH key to Gerrit
|
||
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx52RUPWzTa2rBA96xcnGjjzAboNN/hm6gW+Q6JiSos
|
||
buildbot-service-key = [ machines.buildbot-lix ];
|
||
# Signing key for Buildbot's specific cache
|
||
buildbot-signing-key = [ machines.buildbot-lix ];
|
||
buildbot-remote-builder-key = [ machines.buildbot-lix ];
|
||
};
|
||
};
|
||
|
||
mkSecretListFor = tenant:
|
||
map (secretName: {
|
||
name = "secrets/${tenant}/${secretName}.age";
|
||
value.publicKeys = secrets.${tenant}."${secretName}" ++ commonKeys.global ++ commonKeys.${tenant};
|
||
}) (builtins.attrNames secrets.${tenant});
|
||
in
|
||
builtins.listToAttrs (
|
||
(mkSecretListFor "floral") ++ (mkSecretListFor "lix")
|
||
)
|