From 7d4ab89f1e6264e124109bf25eafaafdf1aec02a Mon Sep 17 00:00:00 2001
From: Linnnus <linnnus@users.noreply.github.com>
Date: Tue, 5 Sep 2023 09:48:04 +0200
Subject: Initial commit

---
 lib/secrets/default.nix   | 92 +++++++++++++++++++++++++++++++++++++++++++++++
 lib/secrets/metadata.toml |  5 +++
 2 files changed, 97 insertions(+)
 create mode 100644 lib/secrets/default.nix
 create mode 100644 lib/secrets/metadata.toml

(limited to 'lib/secrets')

diff --git a/lib/secrets/default.nix b/lib/secrets/default.nix
new file mode 100644
index 0000000..401d4a5
--- /dev/null
+++ b/lib/secrets/default.nix
@@ -0,0 +1,92 @@
+{ pkgs, config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.my.secrets;
+
+  secret = types.submodule {
+    options = {
+      source = mkOption {
+        type = types.path;
+        description = "local secret path";
+      };
+
+      dest = mkOption {
+        type = types.str;
+        description = "where to write the decrypted secret to";
+      };
+
+      owner = mkOption {
+        default = "root";
+        type = types.str;
+        description = "who should own the secret";
+      };
+
+      group = mkOption {
+        default = "root";
+        type = types.str;
+        description = "what group should own the secret";
+      };
+
+      permissions = mkOption {
+        default = "0400";
+        type = types.str;
+        description = "Permissions expressed as octal.";
+      };
+    };
+  };
+
+  metadata = lib.importTOML ./metadata.toml;
+
+  mkSecretOnDisk = name:
+    { source, ... }:
+    pkgs.stdenv.mkDerivation {
+      name = "${name}-secret";
+      phases = "installPhase";
+      buildInputs = [ pkgs.rage ];
+      installPhase =
+        let
+          key = metadata.hosts."${config.networking.hostName}".sshPubKey;
+        in
+        ''
+          rage -a -r '${key}' -o "$out" '${source}'
+        '';
+    };
+
+  mkService = name:
+    { source, dest, owner, group, permissions, ... }: {
+      description = "decrypt secret for ${name}";
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig.Type = "oneshot";
+
+      script = with pkgs; ''
+        rm -rf ${dest}
+        "${rage}"/bin/rage -d -i /etc/ssh/ssh_host_ed25519_key -o '${dest}' '${
+          mkSecretOnDisk name { inherit source; }
+        }'
+
+        chown '${owner}':'${group}' '${dest}'
+        chmod '${permissions}' '${dest}'
+      '';
+    };
+in
+{
+  options.my.secrets = mkOption {
+    type = types.attrsOf secret;
+    description = "secret configuration";
+    default = { };
+  };
+
+  config.systemd.services =
+    let
+      units = mapAttrs'
+        (name: info: {
+          name = "${name}-key";
+          value = (mkService name info);
+        })
+        cfg;
+    in
+    units;
+}
diff --git a/lib/secrets/metadata.toml b/lib/secrets/metadata.toml
new file mode 100644
index 0000000..a956c31
--- /dev/null
+++ b/lib/secrets/metadata.toml
@@ -0,0 +1,5 @@
+# This file specifies metadata for each host.
+
+[hosts.ahmed]
+ipAddress = "192.168.68.126"
+sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3/DjOuKMN18fs/0ZHI3kKLHGytXOFEDBbx+09ZrS3G"
-- 
cgit v1.2.3