diff options
| author | Linnnus <[email protected]> | 2023-09-07 16:53:41 +0200 |
|---|---|---|
| committer | Linnnus <[email protected]> | 2023-09-07 16:53:41 +0200 |
| commit | edcc3acea595d3045253c3c2fe2462599c1c54e0 (patch) | |
| tree | 81e17fc5fe4f0a52d30e8d0209c6080cc77eda32 /lib/secrets/default.nix | |
| parent | d31d1bae8c38e145cdbafe105401d9528b416779 (diff) | |
Reorganize everything
Diffstat (limited to 'lib/secrets/default.nix')
| -rw-r--r-- | lib/secrets/default.nix | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/lib/secrets/default.nix b/lib/secrets/default.nix new file mode 100644 index 0000000..9592052 --- /dev/null +++ b/lib/secrets/default.nix @@ -0,0 +1,90 @@ +{ pkgs, config, lib, metadata, ... }: + +with lib; + +let + cfg = config.my.secrets; + + secret = types.submodule { + options = { + source = mkOption { + type = types.path; + description = "local secret path"; + }; + + dest = mkOption { + type = types.str; + description = "where to write the decrypted secret to"; + }; + + owner = mkOption { + default = "root"; + type = types.str; + description = "who should own the secret"; + }; + + group = mkOption { + default = "root"; + type = types.str; + description = "what group should own the secret"; + }; + + permissions = mkOption { + default = "0400"; + type = types.str; + description = "Permissions expressed as octal."; + }; + }; + }; + + mkSecretOnDisk = name: + { source, ... }: + pkgs.stdenv.mkDerivation { + name = "${name}-secret"; + phases = "installPhase"; + buildInputs = [ pkgs.rage ]; + installPhase = + let + key = metadata.hosts."${config.networking.hostName}".sshPubKey; + in + '' + rage -a -r '${key}' -o "$out" '${source}' + ''; + }; + + mkService = name: + { source, dest, owner, group, permissions, ... }: { + description = "decrypt secret for ${name}"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig.Type = "oneshot"; + + script = with pkgs; '' + rm -rf ${dest} + "${rage}"/bin/rage -d -i /etc/ssh/ssh_host_ed25519_key -o '${dest}' '${ + mkSecretOnDisk name { inherit source; } + }' + + chown '${owner}':'${group}' '${dest}' + chmod '${permissions}' '${dest}' + ''; + }; +in +{ + options.my.secrets = mkOption { + type = types.attrsOf secret; + description = "secret configuration"; + default = { }; + }; + + config.systemd.services = + let + units = mapAttrs' + (name: info: { + name = "${name}-key"; + value = (mkService name info); + }) + cfg; + in + units; +} |