2020-09-01 07:37:26 +03:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
let
|
|
|
|
cfg = config.age;
|
2021-03-02 00:11:02 +03:00
|
|
|
|
|
|
|
# we need at least rage 0.5.0 to support ssh keys
|
|
|
|
rage =
|
|
|
|
if lib.versionOlder pkgs.rage.version "0.5.0"
|
2021-03-16 20:28:00 +03:00
|
|
|
then pkgs.callPackage ../pkgs/rage.nix { }
|
2021-03-02 00:11:02 +03:00
|
|
|
else pkgs.rage;
|
2020-09-18 21:59:01 +03:00
|
|
|
ageBin = "${rage}/bin/rage";
|
|
|
|
|
2020-09-01 07:37:26 +03:00
|
|
|
users = config.users.users;
|
|
|
|
|
2020-09-02 00:29:37 +03:00
|
|
|
identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths);
|
2020-09-02 00:27:54 +03:00
|
|
|
installSecret = secretType: ''
|
2020-11-21 03:28:37 +03:00
|
|
|
echo "decrypting ${secretType.file} to ${secretType.path}..."
|
2020-09-03 06:49:24 +03:00
|
|
|
TMP_FILE="${secretType.path}.tmp"
|
2020-11-21 03:28:37 +03:00
|
|
|
mkdir -p $(dirname ${secretType.path})
|
2021-02-26 02:16:28 +03:00
|
|
|
(umask 0400; LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}")
|
2020-09-03 06:49:24 +03:00
|
|
|
chmod ${secretType.mode} "$TMP_FILE"
|
|
|
|
chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
|
|
|
|
mv -f "$TMP_FILE" '${secretType.path}'
|
2020-09-02 00:27:54 +03:00
|
|
|
'';
|
2020-09-10 06:41:26 +03:00
|
|
|
|
|
|
|
rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets);
|
2021-03-02 00:10:52 +03:00
|
|
|
installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets));
|
2020-09-10 06:41:26 +03:00
|
|
|
|
2020-12-22 07:34:35 +03:00
|
|
|
nonRootSecrets = builtins.filter (st: st.owner != "root" || st.group != "root") (builtins.attrValues cfg.secrets);
|
2021-03-02 00:10:52 +03:00
|
|
|
installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));
|
2020-09-01 07:37:26 +03:00
|
|
|
|
|
|
|
secretType = types.submodule ({ config, ... }: {
|
|
|
|
options = {
|
|
|
|
name = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = config._module.args.name;
|
|
|
|
description = ''
|
|
|
|
Name of the file used in /run/secrets
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
file = mkOption {
|
2020-09-03 21:24:33 +03:00
|
|
|
type = types.path;
|
2020-09-01 07:37:26 +03:00
|
|
|
description = ''
|
|
|
|
Age file the secret is loaded from.
|
|
|
|
'';
|
|
|
|
};
|
2020-09-03 21:24:33 +03:00
|
|
|
path = mkOption {
|
2021-03-02 00:10:52 +03:00
|
|
|
type = types.str;
|
|
|
|
default = "/run/secrets/${config.name}";
|
|
|
|
description = ''
|
|
|
|
Path where the decrypted secret is installed.
|
|
|
|
'';
|
|
|
|
};
|
2020-09-01 07:37:26 +03:00
|
|
|
mode = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "0400";
|
|
|
|
description = ''
|
|
|
|
Permissions mode of the in octal.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
owner = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "root";
|
|
|
|
description = ''
|
|
|
|
User of the file.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
group = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = users.${config.owner}.group;
|
|
|
|
description = ''
|
|
|
|
Group of the file.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
});
|
2021-03-02 00:10:52 +03:00
|
|
|
in
|
|
|
|
{
|
2020-09-01 07:37:26 +03:00
|
|
|
options.age = {
|
|
|
|
secrets = mkOption {
|
|
|
|
type = types.attrsOf secretType;
|
2021-03-02 00:10:52 +03:00
|
|
|
default = { };
|
2020-09-01 07:37:26 +03:00
|
|
|
description = ''
|
|
|
|
Attrset of secrets.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
sshKeyPaths = mkOption {
|
|
|
|
type = types.listOf types.path;
|
2021-03-02 00:10:52 +03:00
|
|
|
default =
|
|
|
|
if config.services.openssh.enable then
|
|
|
|
map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
|
|
|
|
else [ ];
|
2020-09-01 07:37:26 +03:00
|
|
|
description = ''
|
2020-09-03 21:24:33 +03:00
|
|
|
Path to SSH keys to be used as identities in age decryption.
|
2020-09-01 07:37:26 +03:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
2021-03-02 00:10:52 +03:00
|
|
|
config = mkIf (cfg.secrets != { }) {
|
2020-09-01 07:37:26 +03:00
|
|
|
assertions = [{
|
2021-03-02 00:10:52 +03:00
|
|
|
assertion = cfg.sshKeyPaths != [ ];
|
2020-09-03 21:24:33 +03:00
|
|
|
message = "age.sshKeyPaths must be set.";
|
|
|
|
}];
|
2020-09-01 07:37:26 +03:00
|
|
|
|
2020-09-10 06:41:26 +03:00
|
|
|
# Secrets with root owner and group can be installed before users
|
|
|
|
# exist. This allows user password files to be encrypted.
|
|
|
|
system.activationScripts.agenixRoot = installRootOwnedSecrets;
|
|
|
|
system.activationScripts.users.deps = [ "agenixRoot" ];
|
|
|
|
|
|
|
|
# Other secrets need to wait for users and groups to exist.
|
|
|
|
system.activationScripts.agenix = stringAfter [ "users" "groups" ] installNonRootSecrets;
|
2020-09-01 07:37:26 +03:00
|
|
|
};
|
|
|
|
}
|