2021-09-10 21:20:54 +03:00
|
|
|
{ config, options, lib, pkgs, ... }:
|
2020-09-01 07:37:26 +03:00
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
let
|
|
|
|
cfg = config.age;
|
2021-03-02 00:11:02 +03:00
|
|
|
|
|
|
|
# we need at least rage 0.5.0 to support ssh keys
|
|
|
|
rage =
|
|
|
|
if lib.versionOlder pkgs.rage.version "0.5.0"
|
2021-03-16 20:28:00 +03:00
|
|
|
then pkgs.callPackage ../pkgs/rage.nix { }
|
2021-03-02 00:11:02 +03:00
|
|
|
else pkgs.rage;
|
2021-12-06 02:08:18 +03:00
|
|
|
ageBin = config.age.ageBin;
|
2020-09-18 21:59:01 +03:00
|
|
|
|
2020-09-01 07:37:26 +03:00
|
|
|
users = config.users.users;
|
|
|
|
|
2021-12-06 03:05:06 +03:00
|
|
|
identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.identityPaths);
|
2020-09-02 00:27:54 +03:00
|
|
|
installSecret = secretType: ''
|
2021-11-08 20:45:34 +03:00
|
|
|
${if secretType.symlink then ''
|
|
|
|
_truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
|
|
|
|
'' else ''
|
|
|
|
_truePath="${secretType.path}"
|
|
|
|
''}
|
2021-02-25 13:23:15 +03:00
|
|
|
echo "decrypting '${secretType.file}' to '$_truePath'..."
|
|
|
|
TMP_FILE="$_truePath.tmp"
|
|
|
|
mkdir -p "$(dirname "$_truePath")"
|
2022-01-07 00:55:10 +03:00
|
|
|
[ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
|
2021-05-13 06:11:17 +03:00
|
|
|
(
|
|
|
|
umask u=r,g=,o=
|
|
|
|
LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}"
|
|
|
|
)
|
2020-09-03 06:49:24 +03:00
|
|
|
chmod ${secretType.mode} "$TMP_FILE"
|
|
|
|
chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
|
2021-02-25 13:23:15 +03:00
|
|
|
mv -f "$TMP_FILE" "$_truePath"
|
2021-11-08 20:45:34 +03:00
|
|
|
|
|
|
|
${optionalString secretType.symlink ''
|
|
|
|
[ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && ln -sfn "/run/agenix/${secretType.name}" "${secretType.path}"
|
|
|
|
''}
|
2020-09-02 00:27:54 +03:00
|
|
|
'';
|
2020-09-10 06:41:26 +03:00
|
|
|
|
2021-05-10 00:18:20 +03:00
|
|
|
isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
|
|
|
|
isNotRootSecret = st: !(isRootSecret st);
|
|
|
|
|
|
|
|
rootOwnedSecrets = builtins.filter isRootSecret (builtins.attrValues cfg.secrets);
|
2021-03-02 00:10:52 +03:00
|
|
|
installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets));
|
2020-09-10 06:41:26 +03:00
|
|
|
|
2021-05-10 00:18:20 +03:00
|
|
|
nonRootSecrets = builtins.filter isNotRootSecret (builtins.attrValues cfg.secrets);
|
2021-03-02 00:10:52 +03:00
|
|
|
installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));
|
2020-09-01 07:37:26 +03:00
|
|
|
|
|
|
|
secretType = types.submodule ({ config, ... }: {
|
|
|
|
options = {
|
|
|
|
name = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = config._module.args.name;
|
|
|
|
description = ''
|
2021-11-08 20:50:20 +03:00
|
|
|
Name of the file used in /run/agenix
|
2020-09-01 07:37:26 +03:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
file = mkOption {
|
2020-09-03 21:24:33 +03:00
|
|
|
type = types.path;
|
2020-09-01 07:37:26 +03:00
|
|
|
description = ''
|
|
|
|
Age file the secret is loaded from.
|
|
|
|
'';
|
|
|
|
};
|
2020-09-03 21:24:33 +03:00
|
|
|
path = mkOption {
|
2021-03-02 00:10:52 +03:00
|
|
|
type = types.str;
|
2021-11-08 20:50:20 +03:00
|
|
|
default = "/run/agenix/${config.name}";
|
2021-03-02 00:10:52 +03:00
|
|
|
description = ''
|
|
|
|
Path where the decrypted secret is installed.
|
|
|
|
'';
|
|
|
|
};
|
2020-09-01 07:37:26 +03:00
|
|
|
mode = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "0400";
|
|
|
|
description = ''
|
2021-11-24 20:00:28 +03:00
|
|
|
Permissions mode of the decrypted secret in a format understood by chmod.
|
2020-09-01 07:37:26 +03:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
owner = mkOption {
|
|
|
|
type = types.str;
|
2021-05-10 00:18:20 +03:00
|
|
|
default = "0";
|
2020-09-01 07:37:26 +03:00
|
|
|
description = ''
|
2021-11-24 20:00:28 +03:00
|
|
|
User of the decrypted secret.
|
2020-09-01 07:37:26 +03:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
group = mkOption {
|
|
|
|
type = types.str;
|
2021-05-10 00:18:20 +03:00
|
|
|
default = users.${config.owner}.group or "0";
|
2020-09-01 07:37:26 +03:00
|
|
|
description = ''
|
2021-11-24 20:00:28 +03:00
|
|
|
Group of the decrypted secret.
|
2020-09-01 07:37:26 +03:00
|
|
|
'';
|
|
|
|
};
|
2021-12-29 20:25:41 +03:00
|
|
|
action = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "";
|
|
|
|
description = "A script to run when secret is updated.";
|
|
|
|
};
|
2022-01-18 16:51:45 +03:00
|
|
|
services = mkOption {
|
|
|
|
type = types.listOf types.str;
|
|
|
|
default = [];
|
|
|
|
description = "The systemd services that uses this secret. Will be restarted when the secret changes.";
|
|
|
|
example = "[ wireguard-wg0 ]";
|
2021-12-29 20:25:41 +03:00
|
|
|
};
|
2021-11-08 20:45:34 +03:00
|
|
|
symlink = mkEnableOption "symlinking secrets to their destination" // { default = true; };
|
2020-09-01 07:37:26 +03:00
|
|
|
};
|
|
|
|
});
|
2021-03-02 00:10:52 +03:00
|
|
|
in
|
|
|
|
{
|
2021-12-06 03:05:06 +03:00
|
|
|
|
|
|
|
imports = [
|
|
|
|
(mkRenamedOptionModule [ "age" "sshKeyPaths" ] [ "age" "identityPaths" ])
|
|
|
|
];
|
|
|
|
|
2020-09-01 07:37:26 +03:00
|
|
|
options.age = {
|
2021-12-06 02:08:18 +03:00
|
|
|
ageBin = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "${rage}/bin/rage";
|
|
|
|
description = ''
|
|
|
|
The age executable to use.
|
|
|
|
'';
|
|
|
|
};
|
2020-09-01 07:37:26 +03:00
|
|
|
secrets = mkOption {
|
|
|
|
type = types.attrsOf secretType;
|
2021-03-02 00:10:52 +03:00
|
|
|
default = { };
|
2020-09-01 07:37:26 +03:00
|
|
|
description = ''
|
|
|
|
Attrset of secrets.
|
|
|
|
'';
|
|
|
|
};
|
2021-02-25 13:23:15 +03:00
|
|
|
secretsMountPoint = mkOption {
|
|
|
|
type = types.addCheck types.str
|
|
|
|
(s:
|
|
|
|
(builtins.match "[ \t\n]*" s) == null # non-empty
|
|
|
|
&& (builtins.match ".+/" s) == null) # without trailing slash
|
|
|
|
// { description = "${types.str.description} (with check: non-empty without trailing slash)"; };
|
2021-11-08 20:50:20 +03:00
|
|
|
default = "/run/agenix.d";
|
2021-02-25 13:23:15 +03:00
|
|
|
description = ''
|
2021-11-08 20:50:20 +03:00
|
|
|
Where secrets are created before they are symlinked to /run/agenix
|
2021-02-25 13:23:15 +03:00
|
|
|
'';
|
|
|
|
};
|
2021-12-06 03:05:06 +03:00
|
|
|
identityPaths = mkOption {
|
2020-09-01 07:37:26 +03:00
|
|
|
type = types.listOf types.path;
|
2021-03-02 00:10:52 +03:00
|
|
|
default =
|
|
|
|
if config.services.openssh.enable then
|
|
|
|
map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
|
|
|
|
else [ ];
|
2020-09-01 07:37:26 +03:00
|
|
|
description = ''
|
2020-09-03 21:24:33 +03:00
|
|
|
Path to SSH keys to be used as identities in age decryption.
|
2020-09-01 07:37:26 +03:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2021-09-17 01:39:38 +03:00
|
|
|
config = mkIf (cfg.secrets != { }) {
|
|
|
|
assertions = [{
|
2021-12-06 03:05:06 +03:00
|
|
|
assertion = cfg.identityPaths != [ ];
|
|
|
|
message = "age.identityPaths must be set.";
|
2021-09-17 01:39:38 +03:00
|
|
|
}];
|
2020-09-10 06:41:26 +03:00
|
|
|
|
2021-02-25 13:23:15 +03:00
|
|
|
# Create a new directory full of secrets for symlinking (this helps
|
|
|
|
# ensure removed secrets are actually removed, or at least become
|
|
|
|
# invalid symlinks).
|
2022-01-07 00:50:56 +03:00
|
|
|
system.activationScripts.agenixMountSecrets = {
|
|
|
|
text = ''
|
|
|
|
_agenix_generation="$(basename "$(readlink /run/agenix)" || echo 0)"
|
|
|
|
(( ++_agenix_generation ))
|
|
|
|
echo "[agenix] symlinking new secrets to /run/agenix (generation $_agenix_generation)..."
|
|
|
|
mkdir -p "${cfg.secretsMountPoint}"
|
|
|
|
chmod 0751 "${cfg.secretsMountPoint}"
|
|
|
|
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
|
|
|
|
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
|
|
|
|
chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
|
|
|
|
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" /run/agenix
|
|
|
|
|
|
|
|
(( _agenix_generation > 1 )) && {
|
|
|
|
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
|
|
|
|
rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
deps = [
|
|
|
|
"specialfs"
|
|
|
|
];
|
|
|
|
};
|
2021-02-25 13:23:15 +03:00
|
|
|
|
2021-09-17 01:39:38 +03:00
|
|
|
# Secrets with root owner and group can be installed before users
|
|
|
|
# exist. This allows user password files to be encrypted.
|
2021-02-25 13:23:15 +03:00
|
|
|
system.activationScripts.agenixRoot = {
|
|
|
|
text = installRootOwnedSecrets;
|
|
|
|
deps = [ "agenixMountSecrets" "specialfs" ];
|
|
|
|
};
|
2021-09-17 01:39:38 +03:00
|
|
|
system.activationScripts.users.deps = [ "agenixRoot" ];
|
2021-09-10 21:20:54 +03:00
|
|
|
|
2021-02-25 13:23:15 +03:00
|
|
|
# chown the secrets mountpoint and the current generation to the keys group
|
|
|
|
# instead of leaving it root:root.
|
|
|
|
system.activationScripts.agenixChownKeys = {
|
|
|
|
text = ''
|
|
|
|
chown :keys "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_agenix_generation"
|
|
|
|
'';
|
|
|
|
deps = [
|
|
|
|
"users"
|
|
|
|
"groups"
|
|
|
|
"agenixMountSecrets"
|
|
|
|
];
|
|
|
|
};
|
2021-09-10 21:20:54 +03:00
|
|
|
|
2021-02-25 13:23:15 +03:00
|
|
|
# Other secrets need to wait for users and groups to exist.
|
|
|
|
system.activationScripts.agenix = {
|
|
|
|
text = installNonRootSecrets;
|
|
|
|
deps = [
|
|
|
|
"users"
|
|
|
|
"groups"
|
|
|
|
"specialfs"
|
|
|
|
"agenixMountSecrets"
|
|
|
|
"agenixChownKeys"
|
|
|
|
];
|
|
|
|
};
|
2021-12-29 20:25:41 +03:00
|
|
|
|
|
|
|
systemd.services = lib.mkMerge
|
|
|
|
(lib.mapAttrsToList
|
2022-01-18 16:51:45 +03:00
|
|
|
(name: {action, services, file, path, mode, owner, group, ...}:
|
2021-12-29 20:25:41 +03:00
|
|
|
let
|
2022-01-13 17:57:04 +03:00
|
|
|
fileHash = builtins.hashFile "sha256" file;
|
2021-12-29 20:25:41 +03:00
|
|
|
restartTriggers = [ fileHash path mode owner group ];
|
|
|
|
in
|
|
|
|
lib.mkMerge [
|
2022-01-18 16:51:45 +03:00
|
|
|
(lib.genAttrs services (_: { inherit restartTriggers; }))
|
2021-12-29 20:25:41 +03:00
|
|
|
(lib.mkIf (action != "") {
|
|
|
|
"agenix-${name}-action" = {
|
|
|
|
inherit restartTriggers;
|
|
|
|
|
|
|
|
# We execute the action on reload so that it doesn't happen at
|
|
|
|
# startup. The only disadvantage is that it won't trigger the
|
|
|
|
# first time the service is created.
|
|
|
|
reload = action;
|
|
|
|
reloadIfChanged = true;
|
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
RemainAfterExit = true;
|
|
|
|
};
|
|
|
|
|
2022-01-13 17:57:27 +03:00
|
|
|
script = " "; # systemd complains if we only set ExecReload
|
2021-12-29 20:25:41 +03:00
|
|
|
|
|
|
|
# Give it a reason for starting
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
};
|
|
|
|
|
2022-01-18 16:51:45 +03:00
|
|
|
})
|
|
|
|
]) cfg.secrets);
|
2021-09-17 01:39:38 +03:00
|
|
|
};
|
2021-09-10 21:20:54 +03:00
|
|
|
|
2020-09-01 07:37:26 +03:00
|
|
|
}
|