diff options
| author | Linnnus <[email protected]> | 2023-09-06 11:35:04 +0200 |
|---|---|---|
| committer | Linnnus <[email protected]> | 2023-09-06 11:35:04 +0200 |
| commit | 1b13a31cfedae20da0a9aed7b8768a6432889b65 (patch) | |
| tree | 2fb869e77df73fcc28eeef78dc79b7c39e21fd2d /lib/secrets | |
| parent | 17d483c8c8a96fad2200acaf802b7ef0b0eb494d (diff) | |
more stuff
Diffstat (limited to 'lib/secrets')
| -rw-r--r-- | lib/secrets/default.nix | 92 | ||||
| -rw-r--r-- | lib/secrets/metadata.toml | 5 |
2 files changed, 0 insertions, 97 deletions
diff --git a/lib/secrets/default.nix b/lib/secrets/default.nix deleted file mode 100644 index 401d4a5..0000000 --- a/lib/secrets/default.nix +++ /dev/null @@ -1,92 +0,0 @@ -{ pkgs, config, lib, ... }: - -with lib; - -let - cfg = config.my.secrets; - - secret = types.submodule { - options = { - source = mkOption { - type = types.path; - description = "local secret path"; - }; - - dest = mkOption { - type = types.str; - description = "where to write the decrypted secret to"; - }; - - owner = mkOption { - default = "root"; - type = types.str; - description = "who should own the secret"; - }; - - group = mkOption { - default = "root"; - type = types.str; - description = "what group should own the secret"; - }; - - permissions = mkOption { - default = "0400"; - type = types.str; - description = "Permissions expressed as octal."; - }; - }; - }; - - metadata = lib.importTOML ./metadata.toml; - - mkSecretOnDisk = name: - { source, ... }: - pkgs.stdenv.mkDerivation { - name = "${name}-secret"; - phases = "installPhase"; - buildInputs = [ pkgs.rage ]; - installPhase = - let - key = metadata.hosts."${config.networking.hostName}".sshPubKey; - in - '' - rage -a -r '${key}' -o "$out" '${source}' - ''; - }; - - mkService = name: - { source, dest, owner, group, permissions, ... }: { - description = "decrypt secret for ${name}"; - wantedBy = [ "multi-user.target" ]; - - serviceConfig.Type = "oneshot"; - - script = with pkgs; '' - rm -rf ${dest} - "${rage}"/bin/rage -d -i /etc/ssh/ssh_host_ed25519_key -o '${dest}' '${ - mkSecretOnDisk name { inherit source; } - }' - - chown '${owner}':'${group}' '${dest}' - chmod '${permissions}' '${dest}' - ''; - }; -in -{ - options.my.secrets = mkOption { - type = types.attrsOf secret; - description = "secret configuration"; - default = { }; - }; - - config.systemd.services = - let - units = mapAttrs' - (name: info: { - name = "${name}-key"; - value = (mkService name info); - }) - cfg; - in - units; -} diff --git a/lib/secrets/metadata.toml b/lib/secrets/metadata.toml deleted file mode 100644 index a956c31..0000000 --- a/lib/secrets/metadata.toml +++ /dev/null @@ -1,5 +0,0 @@ -# This file specifies metadata for each host. - -[hosts.ahmed] -ipAddress = "192.168.68.126" -sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3/DjOuKMN18fs/0ZHI3kKLHGytXOFEDBbx+09ZrS3G" |