From 5828af9fc19e18dc85e49fcc1a251a7eb25d909c Mon Sep 17 00:00:00 2001
From: Max Audron <audron@cocaine.farm>
Date: Fri, 11 Aug 2023 16:51:35 +0200
Subject: init

---
 modules/crypto/default.nix | 90 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 modules/crypto/default.nix

(limited to 'modules/crypto')

diff --git a/modules/crypto/default.nix b/modules/crypto/default.nix
new file mode 100644
index 0000000..578fc0c
--- /dev/null
+++ b/modules/crypto/default.nix
@@ -0,0 +1,90 @@
+{ pkgs, config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.secrets;
+
+  secret = types.submodule {
+    options = {
+      source = mkOption {
+        type = types.path;
+        description = "local secret path";
+      };
+
+      dest = mkOption {
+        type = types.str;
+        description = "where to write the decrypted secret to";
+      };
+
+      owner = mkOption {
+        default = "root";
+        type = types.str;
+        description = "who should own the secret";
+      };
+
+      group = mkOption {
+        default = "root";
+        type = types.str;
+        description = "what group should own the secret";
+      };
+
+      permissions = mkOption {
+        default = "0400";
+        type = types.str;
+        description = "Permissions expressed as octal.";
+      };
+    };
+  };
+
+  # metadata = lib.importTOML ../../ops/metadata/hosts.toml;
+
+  mkSecretOnDisk = name:
+    { source, ... }:
+    pkgs.stdenv.mkDerivation {
+      name = "${name}-secret";
+      phases = "installPhase";
+      buildInputs = [ pkgs.rage ];
+      installPhase = ''
+        rage -a -r '${config.pubKey}' -o "$out" '${source}'
+      '';
+    };
+
+  mkService = name:
+    { source, dest, owner, group, permissions, ... }: {
+      description = "decrypt secret for ${name}";
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig.Type = "oneshot";
+
+      script = with pkgs; ''
+        rm -rf ${dest}
+        mkdir -p ${dirOf dest}
+        "${rage}"/bin/rage -d -i /etc/ssh/ssh_host_ed25519_key -o '${dest}' '${
+          mkSecretOnDisk name { inherit source; }
+        }'
+        chown '${owner}':'${group}' '${dest}'
+        chmod '${permissions}' '${dest}'
+      '';
+    };
+in {
+  options = {
+    pubKey = mkOption {
+      type = types.str;
+      description = "host public key used for encrypting secrets";
+    };
+
+    secrets = mkOption {
+      type = types.attrsOf secret;
+      description = "secret configuration";
+      default = { };
+    };
+  };
+
+  config.systemd.services = let
+    units = mapAttrs' (name: info: {
+      name = "${name}-key";
+      value = (mkService name info);
+    }) cfg;
+  in units;
+}
-- 
cgit v1.2.3