agenix/modules/age.nix

349 lines
10 KiB
Nix
Raw Normal View History

{
config,
options,
lib,
pkgs,
...
}:
with lib; let
2020-09-01 07:37:26 +03:00
cfg = config.age;
2023-02-20 15:47:48 +03:00
isDarwin = lib.attrsets.hasAttrByPath ["environment" "darwinConfig"] options;
2021-12-06 02:08:18 +03:00
ageBin = config.age.ageBin;
2020-09-01 07:37:26 +03:00
users = config.users.users;
sysusersEnabled =
if isDarwin
then false
else options.systemd ? sysusers && config.systemd.sysusers.enable;
mountCommand =
2023-01-30 19:18:56 +03:00
if isDarwin
then ''
2023-01-30 19:06:03 +03:00
if ! diskutil info "${cfg.secretsMountPoint}" &> /dev/null; then
num_sectors=1048576
dev=$(hdiutil attach -nomount ram://"$num_sectors" | sed 's/[[:space:]]*$//')
2023-01-30 19:06:59 +03:00
newfs_hfs -v agenix "$dev"
mount -t hfs -o nobrowse,nodev,nosuid,-m=0751 "$dev" "${cfg.secretsMountPoint}"
fi
''
else ''
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts ||
mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
'';
newGeneration = ''
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
(( ++_agenix_generation ))
echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
mkdir -p "${cfg.secretsMountPoint}"
chmod 0751 "${cfg.secretsMountPoint}"
${mountCommand}
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
'';
chownGroup =
if isDarwin
then "admin"
else "keys";
# chown the secrets mountpoint and the current generation to the keys group
# instead of leaving it root:root.
chownMountPoint = ''
chown :${chownGroup} "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_agenix_generation"
'';
setTruePath = secretType: ''
${
if secretType.symlink
then ''
_truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
''
else ''
_truePath="${secretType.path}"
''
}
'';
installSecret = secretType: ''
${setTruePath secretType}
echo "decrypting '${secretType.file}' to '$_truePath'..."
TMP_FILE="$_truePath.tmp"
2023-02-07 23:38:59 +03:00
IDENTITIES=()
for identity in ${toString cfg.identityPaths}; do
test -r "$identity" || continue
test -s "$identity" || continue
2023-02-07 23:38:59 +03:00
IDENTITIES+=(-i)
IDENTITIES+=("$identity")
done
test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"
mkdir -p "$(dirname "$_truePath")"
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
2021-05-13 06:11:17 +03:00
(
umask u=r,g=,o=
test -f "${secretType.file}" || echo '[agenix] WARNING: encrypted file ${secretType.file} does not exist!'
test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!"
2023-02-07 23:38:59 +03:00
LANG=${config.i18n.defaultLocale or "C"} ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "${secretType.file}"
2021-05-13 06:11:17 +03:00
)
2020-09-03 06:49:24 +03:00
chmod ${secretType.mode} "$TMP_FILE"
mv -f "$TMP_FILE" "$_truePath"
${optionalString secretType.symlink ''
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
''}
'';
2020-09-10 06:41:26 +03:00
testIdentities =
2023-01-31 00:21:42 +03:00
map
(path: ''
test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
'')
cfg.identityPaths;
cleanupAndLink = ''
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
(( ++_agenix_generation ))
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
(( _agenix_generation > 1 )) && {
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
}
'';
installSecrets = builtins.concatStringsSep "\n" (
["echo '[agenix] decrypting secrets...'"]
++ testIdentities
++ (map installSecret (builtins.attrValues cfg.secrets))
++ [cleanupAndLink]
);
chownSecret = secretType: ''
${setTruePath secretType}
chown ${secretType.owner}:${secretType.group} "$_truePath"
'';
2020-09-10 06:41:26 +03:00
chownSecrets = builtins.concatStringsSep "\n" (
["echo '[agenix] chowning...'"]
++ [chownMountPoint]
++ (map chownSecret (builtins.attrValues cfg.secrets))
);
2020-09-01 07:37:26 +03:00
secretType = types.submodule ({config, ...}: {
2020-09-01 07:37:26 +03:00
options = {
name = mkOption {
type = types.str;
default = config._module.args.name;
defaultText = literalExpression "config._module.args.name";
2020-09-01 07:37:26 +03:00
description = ''
Name of the file used in {option}`age.secretsDir`
2020-09-01 07:37:26 +03:00
'';
};
file = mkOption {
type = types.path;
2020-09-01 07:37:26 +03:00
description = ''
Age file the secret is loaded from.
'';
};
path = mkOption {
2021-03-02 00:10:52 +03:00
type = types.str;
default = "${cfg.secretsDir}/${config.name}";
defaultText = literalExpression ''
"''${cfg.secretsDir}/''${config.name}"
'';
2021-03-02 00:10:52 +03:00
description = ''
Path where the decrypted secret is installed.
'';
};
2020-09-01 07:37:26 +03:00
mode = mkOption {
type = types.str;
default = "0400";
description = ''
2021-11-24 20:00:28 +03:00
Permissions mode of the decrypted secret in a format understood by chmod.
2020-09-01 07:37:26 +03:00
'';
};
owner = mkOption {
type = types.str;
default = "0";
2020-09-01 07:37:26 +03:00
description = ''
2021-11-24 20:00:28 +03:00
User of the decrypted secret.
2020-09-01 07:37:26 +03:00
'';
};
group = mkOption {
type = types.str;
default = users.${config.owner}.group or "0";
defaultText = literalExpression ''
users.''${config.owner}.group or "0"
'';
2020-09-01 07:37:26 +03:00
description = ''
2021-11-24 20:00:28 +03:00
Group of the decrypted secret.
2020-09-01 07:37:26 +03:00
'';
};
symlink = mkEnableOption "symlinking secrets to their destination" // {default = true;};
2020-09-01 07:37:26 +03:00
};
});
in {
imports = [
(mkRenamedOptionModule ["age" "sshKeyPaths"] ["age" "identityPaths"])
];
2020-09-01 07:37:26 +03:00
options.age = {
2021-12-06 02:08:18 +03:00
ageBin = mkOption {
type = types.str;
default = "${pkgs.age}/bin/age";
defaultText = literalExpression ''
"''${pkgs.age}/bin/age"
'';
2021-12-06 02:08:18 +03:00
description = ''
The age executable to use.
'';
};
2020-09-01 07:37:26 +03:00
secrets = mkOption {
type = types.attrsOf secretType;
default = {};
2020-09-01 07:37:26 +03:00
description = ''
Attrset of secrets.
'';
};
secretsDir = mkOption {
type = types.path;
default = "/run/agenix";
description = ''
Folder where secrets are symlinked to
'';
};
secretsMountPoint = mkOption {
type =
types.addCheck types.str
(s:
(builtins.match "[ \t\n]*" s)
== null # non-empty
&& (builtins.match ".+/" s) == null) # without trailing slash
// {description = "${types.str.description} (with check: non-empty without trailing slash)";};
default = "/run/agenix.d";
description = ''
Where secrets are created before they are symlinked to {option}`age.secretsDir`
'';
};
identityPaths = mkOption {
type = types.listOf types.path;
2021-03-02 00:10:52 +03:00
default =
if (config.services.openssh.enable or false)
then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
else if isDarwin
then [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_rsa_key"
]
else [];
defaultText = literalExpression ''
if (config.services.openssh.enable or false)
then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
else if isDarwin
then [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_rsa_key"
]
else [];
'';
description = ''
Path to SSH keys to be used as identities in age decryption.
'';
2020-09-01 07:37:26 +03:00
};
};
config = mkIf (cfg.secrets != {}) (mkMerge [
{
assertions = [
{
assertion = cfg.identityPaths != [];
message = "age.identityPaths must be set.";
}
];
}
(optionalAttrs (!isDarwin) {
# When using sysusers we no longer be started as an activation script
# because those are started in initrd while sysusers is started later.
systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
wantedBy = ["sysinit.target"];
after = ["systemd-sysusers.service"];
unitConfig.DefaultDependencies = "no";
path = [pkgs.mount];
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeShellScript "agenix-install" (
concatLines [
newGeneration
installSecrets
chownSecrets
]
);
RemainAfterExit = true;
};
};
# Create a new directory full of secrets for symlinking (this helps
# ensure removed secrets are actually removed, or at least become
# invalid symlinks).
system.activationScripts = mkIf (!sysusersEnabled) {
agenixNewGeneration = {
text = newGeneration;
deps = [
"specialfs"
];
};
agenixInstall = {
text = installSecrets;
deps = [
"agenixNewGeneration"
"specialfs"
];
};
2021-09-10 21:20:54 +03:00
# So user passwords can be encrypted.
users.deps = ["agenixInstall"];
2021-09-10 21:20:54 +03:00
# Change ownership and group after users and groups are made.
agenixChown = {
text = chownSecrets;
deps = [
"users"
"groups"
];
};
# So other activation scripts can depend on agenix being done.
agenix = {
text = "";
deps = ["agenixChown"];
};
};
})
(optionalAttrs isDarwin {
launchd.daemons.activate-agenix = {
script = ''
set -e
set -o pipefail
export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"
${newGeneration}
${installSecrets}
${chownSecrets}
exit 0
'';
2023-01-31 00:21:42 +03:00
serviceConfig = {
RunAtLoad = true;
KeepAlive.SuccessfulExit = false;
};
};
})
]);
2020-09-01 07:37:26 +03:00
}