agenix/modules/age.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.age;
  rage = pkgs.callPackage ../pkgs/rage.nix {};
  ageBin = "${rage}/bin/rage";

  users = config.users.users;

  identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths);
  installSecret = secretType: ''
    echo "decrypting ${secretType.file} to ${secretType.path}..."
    TMP_FILE="${secretType.path}.tmp"
    mkdir -p $(dirname ${secretType.path})
    (umask 0400; LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}")
    chmod ${secretType.mode} "$TMP_FILE"
    chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
    mv -f "$TMP_FILE" '${secretType.path}'
  '';

  rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets);
  installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets));

  nonRootSecrets = builtins.filter (st: st.owner != "root" || st.group != "root") (builtins.attrValues cfg.secrets);
  installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));

  secretType = types.submodule ({ config, ... }: {
    options = {
      name = mkOption {
        type = types.str;
        default = config._module.args.name;
        description = ''
          Name of the file used in /run/secrets
        '';
      };
      file = mkOption {
        type = types.path;
        description = ''
          Age file the secret is loaded from.
        '';
      };
      path = mkOption {
        type = types.str;
        default = "/run/secrets/${config.name}";
        description = ''
          Path where the decrypted secret is installed.
        '';
      };
      mode = mkOption {
        type = types.str;
        default = "0400";
        description = ''
          Permissions mode of the in octal.
        '';
      };
      owner = mkOption {
        type = types.str;
        default = "root";
        description = ''
          User of the file.
        '';
      };
      group = mkOption {
        type = types.str;
        default = users.${config.owner}.group;
        description = ''
          Group of the file.
        '';
      };
    };
  });
in
{
  options.age = {
    secrets = mkOption {
      type = types.attrsOf secretType;
      default = { };
      description = ''
        Attrset of secrets.
      '';
    };
    sshKeyPaths = mkOption {
      type = types.listOf types.path;
      default =
        if config.services.openssh.enable then
          map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
        else [ ];
      description = ''
        Path to SSH keys to be used as identities in age decryption.
      '';
    };
  };
  config = mkIf (cfg.secrets != { }) {
    assertions = [{
      assertion = cfg.sshKeyPaths != [ ];
      message = "age.sshKeyPaths must be set.";
    }];

    # Secrets with root owner and group can be installed before users
    # exist. This allows user password files to be encrypted.
    system.activationScripts.agenixRoot = installRootOwnedSecrets;
    system.activationScripts.users.deps = [ "agenixRoot" ];

    # Other secrets need to wait for users and groups to exist.
    system.activationScripts.agenix = stringAfter [ "users" "groups" ] installNonRootSecrets;
  };
}
initial prototype 2020-09-01 07:37:26 +03:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
			`cfg = config.age;`
use unstable verison of rage in place of age * age limits the number of recipients to 20 * the latest release of rage (0.4.0) doesn't work with ssh-rsa keys 2020-09-18 21:59:01 +03:00			`rage = pkgs.callPackage ../pkgs/rage.nix {};`
			`ageBin = "${rage}/bin/rage";`

initial prototype 2020-09-01 07:37:26 +03:00			`users = config.users.users;`

move identities definition to top too 2020-09-02 00:29:37 +03:00			`identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths);`
move installation instructions to top they are the most important part for someone to review 2020-09-02 00:27:54 +03:00			`installSecret = secretType: ''`
more messages while activationscript run & make sure directory exists before decrypting 2020-11-21 03:28:37 +03:00			`echo "decrypting ${secretType.file} to ${secretType.path}..."`
add flake 2020-09-03 06:49:24 +03:00			`TMP_FILE="${secretType.path}.tmp"`
more messages while activationscript run & make sure directory exists before decrypting 2020-11-21 03:28:37 +03:00			`mkdir -p $(dirname ${secretType.path})`
modules/age: set LANG rage has a localization crate as a dependency that whines when LANG is unset. 2021-02-26 02:16:28 +03:00			`(umask 0400; LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}")`
add flake 2020-09-03 06:49:24 +03:00			`chmod ${secretType.mode} "$TMP_FILE"`
			`chown ${secretType.owner}:${secretType.group} "$TMP_FILE"`
			`mv -f "$TMP_FILE" '${secretType.path}'`
move installation instructions to top they are the most important part for someone to review 2020-09-02 00:27:54 +03:00			`'';`
install root owned secrets sooner 2020-09-10 06:41:26 +03:00
			`rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets);`
modules/age: nixpkgs-fmt 2021-03-02 00:10:52 +03:00			`installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets));`
install root owned secrets sooner 2020-09-10 06:41:26 +03:00
correctly list non-root secrets Secrets that are only partly owned by root (i.e. either user or group are not 'root') are now accounted for during activation. 2020-12-22 07:34:35 +03:00			`nonRootSecrets = builtins.filter (st: st.owner != "root" \|\| st.group != "root") (builtins.attrValues cfg.secrets);`
modules/age: nixpkgs-fmt 2021-03-02 00:10:52 +03:00			`installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));`
initial prototype 2020-09-01 07:37:26 +03:00
			`secretType = types.submodule ({ config, ... }: {`
			`options = {`
			`name = mkOption {`
			`type = types.str;`
			`default = config._module.args.name;`
			`description = ''`
			`Name of the file used in /run/secrets`
			`'';`
			`};`
			`file = mkOption {`
add flake and default .nix files; add agenix command 2020-09-03 21:24:33 +03:00			`type = types.path;`
initial prototype 2020-09-01 07:37:26 +03:00			`description = ''`
			`Age file the secret is loaded from.`
			`'';`
			`};`
add flake and default .nix files; add agenix command 2020-09-03 21:24:33 +03:00			`path = mkOption {`
modules/age: nixpkgs-fmt 2021-03-02 00:10:52 +03:00			`type = types.str;`
			`default = "/run/secrets/${config.name}";`
			`description = ''`
			`Path where the decrypted secret is installed.`
			`'';`
			`};`
initial prototype 2020-09-01 07:37:26 +03:00			`mode = mkOption {`
			`type = types.str;`
			`default = "0400";`
			`description = ''`
			`Permissions mode of the in octal.`
			`'';`
			`};`
			`owner = mkOption {`
			`type = types.str;`
			`default = "root";`
			`description = ''`
			`User of the file.`
			`'';`
			`};`
			`group = mkOption {`
			`type = types.str;`
			`default = users.${config.owner}.group;`
			`description = ''`
			`Group of the file.`
			`'';`
			`};`
			`};`
			`});`
modules/age: nixpkgs-fmt 2021-03-02 00:10:52 +03:00			`in`
			`{`
initial prototype 2020-09-01 07:37:26 +03:00			`options.age = {`
			`secrets = mkOption {`
			`type = types.attrsOf secretType;`
modules/age: nixpkgs-fmt 2021-03-02 00:10:52 +03:00			`default = { };`
initial prototype 2020-09-01 07:37:26 +03:00			`description = ''`
			`Attrset of secrets.`
			`'';`
			`};`
			`sshKeyPaths = mkOption {`
			`type = types.listOf types.path;`
modules/age: nixpkgs-fmt 2021-03-02 00:10:52 +03:00			`default =`
			`if config.services.openssh.enable then`
			`map (e: e.path) (lib.filter (e: e.type == "rsa" \|\| e.type == "ed25519") config.services.openssh.hostKeys)`
			`else [ ];`
initial prototype 2020-09-01 07:37:26 +03:00			`description = ''`
add flake and default .nix files; add agenix command 2020-09-03 21:24:33 +03:00			`Path to SSH keys to be used as identities in age decryption.`
initial prototype 2020-09-01 07:37:26 +03:00			`'';`
			`};`
			`};`
modules/age: nixpkgs-fmt 2021-03-02 00:10:52 +03:00			`config = mkIf (cfg.secrets != { }) {`
initial prototype 2020-09-01 07:37:26 +03:00			`assertions = [{`
modules/age: nixpkgs-fmt 2021-03-02 00:10:52 +03:00			`assertion = cfg.sshKeyPaths != [ ];`
add flake and default .nix files; add agenix command 2020-09-03 21:24:33 +03:00			`message = "age.sshKeyPaths must be set.";`
			`}];`
initial prototype 2020-09-01 07:37:26 +03:00
install root owned secrets sooner 2020-09-10 06:41:26 +03:00			`# Secrets with root owner and group can be installed before users`
			`# exist. This allows user password files to be encrypted.`
			`system.activationScripts.agenixRoot = installRootOwnedSecrets;`
			`system.activationScripts.users.deps = [ "agenixRoot" ];`

			`# Other secrets need to wait for users and groups to exist.`
			`system.activationScripts.agenix = stringAfter [ "users" "groups" ] installNonRootSecrets;`
initial prototype 2020-09-01 07:37:26 +03:00			`};`
			`}`