diff options
| author | Max Audron <audron@cocaine.farm> | 2023-08-11 16:51:35 +0200 |
|---|---|---|
| committer | Max Audron <audron@cocaine.farm> | 2023-08-11 16:51:35 +0200 |
| commit | 5828af9fc19e18dc85e49fcc1a251a7eb25d909c (patch) | |
| tree | c70c3e52237c08d3fdcb2f1269c524c25e3feeb8 /modules/crypto/default.nix | |
init
Diffstat (limited to 'modules/crypto/default.nix')
| -rw-r--r-- | modules/crypto/default.nix | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/modules/crypto/default.nix b/modules/crypto/default.nix new file mode 100644 index 0000000..578fc0c --- /dev/null +++ b/modules/crypto/default.nix @@ -0,0 +1,90 @@ +{ pkgs, config, lib, ... }: + +with lib; + +let + cfg = config.secrets; + + secret = types.submodule { + options = { + source = mkOption { + type = types.path; + description = "local secret path"; + }; + + dest = mkOption { + type = types.str; + description = "where to write the decrypted secret to"; + }; + + owner = mkOption { + default = "root"; + type = types.str; + description = "who should own the secret"; + }; + + group = mkOption { + default = "root"; + type = types.str; + description = "what group should own the secret"; + }; + + permissions = mkOption { + default = "0400"; + type = types.str; + description = "Permissions expressed as octal."; + }; + }; + }; + + # metadata = lib.importTOML ../../ops/metadata/hosts.toml; + + mkSecretOnDisk = name: + { source, ... }: + pkgs.stdenv.mkDerivation { + name = "${name}-secret"; + phases = "installPhase"; + buildInputs = [ pkgs.rage ]; + installPhase = '' + rage -a -r '${config.pubKey}' -o "$out" '${source}' + ''; + }; + + mkService = name: + { source, dest, owner, group, permissions, ... }: { + description = "decrypt secret for ${name}"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig.Type = "oneshot"; + + script = with pkgs; '' + rm -rf ${dest} + mkdir -p ${dirOf dest} + "${rage}"/bin/rage -d -i /etc/ssh/ssh_host_ed25519_key -o '${dest}' '${ + mkSecretOnDisk name { inherit source; } + }' + chown '${owner}':'${group}' '${dest}' + chmod '${permissions}' '${dest}' + ''; + }; +in { + options = { + pubKey = mkOption { + type = types.str; + description = "host public key used for encrypting secrets"; + }; + + secrets = mkOption { + type = types.attrsOf secret; + description = "secret configuration"; + default = { }; + }; + }; + + config.systemd.services = let + units = mapAttrs' (name: info: { + name = "${name}-key"; + value = (mkService name info); + }) cfg; + in units; +} |