agenix/modules/age.nix

288 lines
9.6 KiB
Nix
Raw Normal View History

2021-09-10 21:20:54 +03:00
{ config, options, lib, pkgs, ... }:
2020-09-01 07:37:26 +03:00
with lib;
let
cfg = config.age;
# we need at least rage 0.5.0 to support ssh keys
rage =
if lib.versionOlder pkgs.rage.version "0.5.0"
2021-03-16 20:28:00 +03:00
then pkgs.callPackage ../pkgs/rage.nix { }
else pkgs.rage;
2021-12-06 02:08:18 +03:00
ageBin = config.age.ageBin;
2020-09-01 07:37:26 +03:00
users = config.users.users;
identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.identityPaths);
installSecret = secretType: ''
${if secretType.symlink then ''
_truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
'' else ''
_truePath="${secretType.path}"
''}
${if secretType.file != null then ''
echo "decrypting '${secretType.file}' to '$_truePath'..."
'' else ''
echo "applying template ${secretType.template} to '$_truePath'..."
''}
TMP_FILE="$_truePath.tmp"
mkdir -p "$(dirname "$_truePath")"
[ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
${if secretType.file != null then ''
(
umask u=r,g=,o=
LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}"
)
'' else ''
${pkgs.perl}/bin/perl -pe '${
lib.concatStringsSep "; "
(map (s:
''$match=q[@${s.name}@];'' +
''$replace=substr(qx[cat ${s.path}], 0, -1);'' +
''s/$match/$replace/ge'') secretType.secrets)
}' ${secretType.template} > "$TMP_FILE"
''}
2020-09-03 06:49:24 +03:00
chmod ${secretType.mode} "$TMP_FILE"
chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
mv -f "$TMP_FILE" "$_truePath"
${optionalString secretType.symlink ''
[ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && ln -sfn "/run/agenix/${secretType.name}" "${secretType.path}"
''}
'';
2020-09-10 06:41:26 +03:00
isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
isNotRootSecret = st: !(isRootSecret st);
rootOwnedSecrets = builtins.filter isRootSecret (builtins.attrValues cfg.secrets);
2021-03-02 00:10:52 +03:00
installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets));
2020-09-10 06:41:26 +03:00
nonRootSecrets = builtins.filter isNotRootSecret (builtins.attrValues cfg.secrets);
2021-03-02 00:10:52 +03:00
installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));
2020-09-01 07:37:26 +03:00
secretType = types.submodule ({ config, ... }: {
options = {
name = mkOption {
type = types.str;
default = config._module.args.name;
description = ''
Name of the file used in /run/agenix
2020-09-01 07:37:26 +03:00
'';
};
file = mkOption {
type = types.nullOr types.path;
default = null;
2020-09-01 07:37:26 +03:00
description = ''
Age file the secret is loaded from.
'';
};
path = mkOption {
2021-03-02 00:10:52 +03:00
type = types.str;
default = "/run/agenix/${config.name}";
2021-03-02 00:10:52 +03:00
description = ''
Path where the decrypted secret is installed.
'';
};
2020-09-01 07:37:26 +03:00
mode = mkOption {
type = types.str;
default = "0400";
description = ''
2021-11-24 20:00:28 +03:00
Permissions mode of the decrypted secret in a format understood by chmod.
2020-09-01 07:37:26 +03:00
'';
};
owner = mkOption {
type = types.str;
default = "0";
2020-09-01 07:37:26 +03:00
description = ''
2021-11-24 20:00:28 +03:00
User of the decrypted secret.
2020-09-01 07:37:26 +03:00
'';
};
group = mkOption {
type = types.str;
default = users.${config.owner}.group or "0";
2020-09-01 07:37:26 +03:00
description = ''
2021-11-24 20:00:28 +03:00
Group of the decrypted secret.
2020-09-01 07:37:26 +03:00
'';
};
action = mkOption {
type = types.str;
default = "";
description = "A script to run when secret is updated.";
};
2022-01-18 16:51:45 +03:00
services = mkOption {
type = types.listOf types.str;
default = [];
description = "The systemd services that uses this secret. Will be restarted when the secret changes.";
example = "[ wireguard-wg0 ]";
};
template = mkOption {
type = types.nullOr types.path;
default = null;
description = "A template to insert other secrets into.";
example = ''builtins.toFile "secret-template" "@secret1@ @secret2@"'';
};
secrets = mkOption {
type = types.listOf secretType;
default = [];
description = "A list of secrets available to the template.";
example = ''with config.age.secrets; [ secret1 secret2 ]'';
};
symlink = mkEnableOption "symlinking secrets to their destination" // { default = true; };
2020-09-01 07:37:26 +03:00
};
});
2021-03-02 00:10:52 +03:00
in
{
imports = [
(mkRenamedOptionModule [ "age" "sshKeyPaths" ] [ "age" "identityPaths" ])
];
2020-09-01 07:37:26 +03:00
options.age = {
2021-12-06 02:08:18 +03:00
ageBin = mkOption {
type = types.str;
default = "${rage}/bin/rage";
description = ''
The age executable to use.
'';
};
2020-09-01 07:37:26 +03:00
secrets = mkOption {
type = types.attrsOf secretType;
2021-03-02 00:10:52 +03:00
default = { };
2020-09-01 07:37:26 +03:00
description = ''
Attrset of secrets.
'';
};
secretsMountPoint = mkOption {
type = types.addCheck types.str
(s:
(builtins.match "[ \t\n]*" s) == null # non-empty
&& (builtins.match ".+/" s) == null) # without trailing slash
// { description = "${types.str.description} (with check: non-empty without trailing slash)"; };
default = "/run/agenix.d";
description = ''
Where secrets are created before they are symlinked to /run/agenix
'';
};
identityPaths = mkOption {
2020-09-01 07:37:26 +03:00
type = types.listOf types.path;
2021-03-02 00:10:52 +03:00
default =
if config.services.openssh.enable then
map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
else [ ];
2020-09-01 07:37:26 +03:00
description = ''
Path to SSH keys to be used as identities in age decryption.
2020-09-01 07:37:26 +03:00
'';
};
};
config = mkIf (cfg.secrets != { }) {
assertions = [{
assertion = cfg.identityPaths != [ ];
message = "age.identityPaths must be set.";
}] ++ lib.mapAttrsToList (name: {template, file, ...}: {
assertion = (template == null && file != null) ||
(template != null && file == null);
message = ''
You must specify either `file` or `template` for age.secrets.${name}, but not both.
'';
}) cfg.secrets;
2020-09-10 06:41:26 +03:00
# Create a new directory full of secrets for symlinking (this helps
# ensure removed secrets are actually removed, or at least become
# invalid symlinks).
system.activationScripts.agenixMountSecrets = {
text = ''
_agenix_generation="$(basename "$(readlink /run/agenix)" || echo 0)"
(( ++_agenix_generation ))
echo "[agenix] symlinking new secrets to /run/agenix (generation $_agenix_generation)..."
mkdir -p "${cfg.secretsMountPoint}"
chmod 0751 "${cfg.secretsMountPoint}"
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" /run/agenix
(( _agenix_generation > 1 )) && {
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
}
'';
deps = [
"specialfs"
];
};
# Secrets with root owner and group can be installed before users
# exist. This allows user password files to be encrypted.
system.activationScripts.agenixRoot = {
text = installRootOwnedSecrets;
deps = [ "agenixMountSecrets" "specialfs" ];
};
system.activationScripts.users.deps = [ "agenixRoot" ];
2021-09-10 21:20:54 +03:00
# chown the secrets mountpoint and the current generation to the keys group
# instead of leaving it root:root.
system.activationScripts.agenixChownKeys = {
text = ''
chown :keys "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_agenix_generation"
'';
deps = [
"users"
"groups"
"agenixMountSecrets"
];
};
2021-09-10 21:20:54 +03:00
# Other secrets need to wait for users and groups to exist.
system.activationScripts.agenix = {
text = installNonRootSecrets;
deps = [
"users"
"groups"
"specialfs"
"agenixMountSecrets"
"agenixChownKeys"
];
};
systemd.services = lib.mkMerge
(lib.mapAttrsToList
(name: {action, services, file, template, secrets, path, mode, owner, group, ...}:
let
hashedFiles = map (builtins.hashFile "sha256")
([ file ] ++ (map ({ file, ... }: file) secrets));
restartTriggers = hashedFiles ++ [ template path mode owner group ];
in
lib.mkMerge [
2022-01-18 16:51:45 +03:00
(lib.genAttrs services (_: { inherit restartTriggers; }))
(lib.mkIf (action != "") {
"agenix-${name}-action" = {
inherit restartTriggers;
# We execute the action on reload so that it doesn't happen at
# startup. The only disadvantage is that it won't trigger the
# first time the service is created.
reload = action;
reloadIfChanged = true;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = " "; # systemd complains if we only set ExecReload
# Give it a reason for starting
wantedBy = [ "multi-user.target" ];
};
2022-01-18 16:51:45 +03:00
})
]) cfg.secrets);
};
2021-09-10 21:20:54 +03:00
2020-09-01 07:37:26 +03:00
}