From 202ea075cf9e75a57543478ae7efb0985b77a3df Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Mon, 31 Aug 2020 21:37:26 -0700 Subject: [PATCH] initial prototype --- LICENSE | 121 ++++++++++++++++++++++++++++++++++++++++++++++++ age.sh | 68 +++++++++++++++++++++++++++ example.yaml | 16 +++++++ modules/age.nix | 109 +++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 314 insertions(+) create mode 100644 LICENSE create mode 100644 age.sh create mode 100644 example.yaml create mode 100644 modules/age.nix diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..1625c17 --- /dev/null +++ b/LICENSE @@ -0,0 +1,121 @@ +Creative Commons Legal Code + +CC0 1.0 Universal + + CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE + LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN + ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS + INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES + REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS + PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM + THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED + HEREUNDER. + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights (defined below) upon the creator +and subsequent owner(s) (each and all, an "owner") of an original work of +authorship and/or a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for +the purpose of contributing to a commons of creative, cultural and +scientific works ("Commons") that the public can reliably and without fear +of later claims of infringement build upon, modify, incorporate in other +works, reuse and redistribute as freely as possible in any form whatsoever +and for any purposes, including without limitation commercial purposes. +These owners may contribute to the Commons to promote the ideal of a free +culture and the further production of creative, cultural and scientific +works, or to gain reputation or greater distribution for their Work in +part through the use and efforts of others. + +For these and/or other purposes and motivations, and without any +expectation of additional consideration or compensation, the person +associating CC0 with a Work (the "Affirmer"), to the extent that he or she +is an owner of Copyright and Related Rights in the Work, voluntarily +elects to apply CC0 to the Work and publicly distribute the Work under its +terms, with knowledge of his or her Copyright and Related Rights in the +Work and the meaning and intended legal effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not +limited to, the following: + + i. the right to reproduce, adapt, distribute, perform, display, + communicate, and translate a Work; + ii. moral rights retained by the original author(s) and/or performer(s); +iii. publicity and privacy rights pertaining to a person's image or + likeness depicted in a Work; + iv. rights protecting against unfair competition in regards to a Work, + subject to the limitations in paragraph 4(a), below; + v. rights protecting the extraction, dissemination, use and reuse of data + in a Work; + vi. database rights (such as those arising under Directive 96/9/EC of the + European Parliament and of the Council of 11 March 1996 on the legal + protection of databases, and under any national implementation + thereof, including any amended or successor version of such + directive); and +vii. other similar, equivalent or corresponding rights throughout the + world based on applicable law or treaty, and any national + implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention +of, applicable law, Affirmer hereby overtly, fully, permanently, +irrevocably and unconditionally waives, abandons, and surrenders all of +Affirmer's Copyright and Related Rights and associated claims and causes +of action, whether now known or unknown (including existing as well as +future claims and causes of action), in the Work (i) in all territories +worldwide, (ii) for the maximum duration provided by applicable law or +treaty (including future time extensions), (iii) in any current or future +medium and for any number of copies, and (iv) for any purpose whatsoever, +including without limitation commercial, advertising or promotional +purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each +member of the public at large and to the detriment of Affirmer's heirs and +successors, fully intending that such Waiver shall not be subject to +revocation, rescission, cancellation, termination, or any other legal or +equitable action to disrupt the quiet enjoyment of the Work by the public +as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason +be judged legally invalid or ineffective under applicable law, then the +Waiver shall be preserved to the maximum extent permitted taking into +account Affirmer's express Statement of Purpose. In addition, to the +extent the Waiver is so judged Affirmer hereby grants to each affected +person a royalty-free, non transferable, non sublicensable, non exclusive, +irrevocable and unconditional license to exercise Affirmer's Copyright and +Related Rights in the Work (i) in all territories worldwide, (ii) for the +maximum duration provided by applicable law or treaty (including future +time extensions), (iii) in any current or future medium and for any number +of copies, and (iv) for any purpose whatsoever, including without +limitation commercial, advertising or promotional purposes (the +"License"). The License shall be deemed effective as of the date CC0 was +applied by Affirmer to the Work. Should any part of the License for any +reason be judged legally invalid or ineffective under applicable law, such +partial invalidity or ineffectiveness shall not invalidate the remainder +of the License, and in such case Affirmer hereby affirms that he or she +will not (i) exercise any of his or her remaining Copyright and Related +Rights in the Work or (ii) assert any associated claims and causes of +action with respect to the Work, in either case contrary to Affirmer's +express Statement of Purpose. + +4. Limitations and Disclaimers. + + a. No trademark or patent rights held by Affirmer are waived, abandoned, + surrendered, licensed or otherwise affected by this document. + b. Affirmer offers the Work as-is and makes no representations or + warranties of any kind concerning the Work, express, implied, + statutory or otherwise, including without limitation warranties of + title, merchantability, fitness for a particular purpose, non + infringement, or the absence of latent or other defects, accuracy, or + the present or absence of errors, whether or not discoverable, all to + the greatest extent permissible under applicable law. + c. Affirmer disclaims responsibility for clearing rights of other persons + that may apply to the Work or any use thereof, including without + limitation any person's Copyright and Related Rights in the Work. + Further, Affirmer disclaims responsibility for obtaining any necessary + consents, permissions or other rights required for any use of the + Work. + d. Affirmer understands and acknowledges that Creative Commons is not a + party to this document and has no duty or obligation with respect to + this CC0 or use of the Work. \ No newline at end of file diff --git a/age.sh b/age.sh new file mode 100644 index 0000000..febbdfd --- /dev/null +++ b/age.sh @@ -0,0 +1,68 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i bash -p age yq-go +set -euxo pipefail + +RULES=example.yaml + +function cleanup { + if [ ! -z ${CLEARTEXT_DIR+x} ] + then + rm -rf "$CLEARTEXT_DIR" + fi + if [ ! -z ${REENCRYPTED_DIR+x} ] + then + rm -rf "$REENCRYPTED_DIR" + fi +} +trap "cleanup" 0 2 3 15 + +function ageEdit { + FILE=$1 + KEYS=$(yq r "$RULES" "secrets.(name==$FILE).public_keys.**") + if [ -z "$KEYS" ] + then + >&2 echo "There is no rule for $FILE in $RULES." + exit 1 + fi + + CLEARTEXT_DIR=$(mktemp -d) + CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename "$FILE")" + + + if [ -f "$FILE" ] + then + DECRYPT=(--decrypt) + while IFS= read -r key + do + DECRYPT+=(--identity "$key") + done <<<$(find ~/.ssh -maxdepth 1 -type f -not -name "*pub" -not -name "config" -not -name "authorized_keys" -not -name "known_hosts") + DECRYPT+=(-o "$CLEARTEXT_FILE" "$FILE") + age "${DECRYPT[@]}" + fi + + $EDITOR "$CLEARTEXT_FILE" + + ENCRYPT=() + while IFS= read -r key + do + echo "$key" + ENCRYPT+=(--recipient "$key") + done <<< "$KEYS" + + REENCRYPTED_DIR=$(mktemp -d) + REENCRYPTED_FILE="$REENCRYPTED_DIR/$(basename "$FILE")" + + ENCRYPT+=(-o "$REENCRYPTED_FILE") + + cat "$CLEARTEXT_FILE" | age "${ENCRYPT[@]}" + + mv -f "$REENCRYPTED_FILE" "$1" +} + +function rekey { + FILES=$(yq r "$RULES" "secrets.*.name") + for FILE in $FILES + do + EDITOR=echo ageEdit $FILE + done +} diff --git a/example.yaml b/example.yaml new file mode 100644 index 0000000..39c3850 --- /dev/null +++ b/example.yaml @@ -0,0 +1,16 @@ +public_keys: + # users + - &user1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFx3E0bHOWxRu91+XFzimbVA1mP19c5To/7szED1OUf9 user1@example.com + # hosts + # get these via ssh-keyscan + - &host1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKxk6NtiVv8L8R6/+lHgq4UP8P6JC7a6Wl2klCOOk8GP root@host1 + +secrets: + - name: secret.age + public_keys: + - *user1 + - *host1 + - name: other.age + public_keys: + - *user1 + - *host1 diff --git a/modules/age.nix b/modules/age.nix new file mode 100644 index 0000000..7fa7c87 --- /dev/null +++ b/modules/age.nix @@ -0,0 +1,109 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.age; + users = config.users.users; + + age-install-secrets = (pkgs.callPackage ../.. {}).age-install-secrets; + + secretType = types.submodule ({ config, ... }: { + options = { + name = mkOption { + type = types.str; + default = config._module.args.name; + description = '' + Name of the file used in /run/secrets + ''; + }; + file = mkOption { + type = types.either types.str types.path; + description = '' + Age file the secret is loaded from. + ''; + }; + path = assert assertMsg (builtins.pathExists config.file) '' + Cannot find path '${config.file}' set in 'age.secrets."${config._module.args.name}".file' + ''; + mkOption { + type = types.str; + default = "/run/secrets/${config.name}"; + description = '' + Path where secrets are symlinked to. + If the default is kept no symlink is created. + ''; + }; + mode = mkOption { + type = types.str; + default = "0400"; + description = '' + Permissions mode of the in octal. + ''; + }; + owner = mkOption { + type = types.str; + default = "root"; + description = '' + User of the file. + ''; + }; + group = mkOption { + type = types.str; + default = users.${config.owner}.group; + description = '' + Group of the file. + ''; + }; + }; + }); + + identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths); + + installSecret = secretType: '' + rm -f "${secretType.path}" + ${pkgs.age}/bin/age --decrypt ${identities} -o "${secretType.path}" "${secretType.file}" + chmod ${secretType.mode} "${secretType.path}" + chown ${secretType.owner}:${secretType.group} "${secretType.path}" + ''; + + installAllSecrets = + + let + st = (map installSecret (builtins.attrValues cfg.secrets)); + a = builtins.concatStringsSep "\n" st; + in builtins.trace (builtins.toString st) a; + +in { + options.age = { + secrets = mkOption { + type = types.attrsOf secretType; + default = {}; + description = '' + Attrset of secrets. + ''; + }; + sshKeyPaths = mkOption { + type = types.listOf types.path; + default = if config.services.openssh.enable then + map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys) + else []; + description = '' + Path to SSH keys to be used as identities in age file decryption. + ''; + }; + }; + config = mkIf (cfg.secrets != {}) { + assertions = [{ + assertion = cfg.sshKeyPaths != []; + message = "Either age.sshKeyPaths must be set."; + }] ++ map (name: let + inherit (cfg.secrets.${name}) file; + in { + assertion = builtins.isPath file; + message = "${file} is not in the nix store. Either add it to the nix store."; + }) (builtins.attrNames cfg.secrets); + + system.activationScripts.setup-secrets = stringAfter [ "users" "groups" ] installAllSecrets; + }; +}