Add xe age secrets config
parent
26bc4eeb60
commit
65f96aa5af
@ -0,0 +1,86 @@
|
||||
# based on https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.ashe.secrets;
|
||||
|
||||
secret = types.submodule {
|
||||
options = {
|
||||
source = mkOption {
|
||||
type = types.path;
|
||||
description = "local secret path";
|
||||
};
|
||||
|
||||
dest = mkOption {
|
||||
type = types.str;
|
||||
description = "where to write the decrypted secret to";
|
||||
};
|
||||
|
||||
owner = mkOption {
|
||||
default = "root";
|
||||
type = types.str;
|
||||
description = "who should own the secret";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
default = "root";
|
||||
type = types.str;
|
||||
description = "what group should own the secret";
|
||||
};
|
||||
|
||||
permissions = mkOption {
|
||||
default = "0400";
|
||||
type = types.str;
|
||||
description = "Permissions expressed as octal.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
metadata = lib.importTOML ../hosts/metadata/hosts.toml;
|
||||
|
||||
mkSecretOnDisk = name:
|
||||
{ source, ... }:
|
||||
pkgs.stdenv.mkDerivation {
|
||||
name = "${name}-secret";
|
||||
phases = "installPhase";
|
||||
buildInputs = [ pkgs.rage ];
|
||||
installPhase =
|
||||
let key = metadata.hosts."${config.networking.hostName}".ssh_pubkey;
|
||||
in ''
|
||||
rage -a -r '${key}' -o "$out" '${source}'
|
||||
'';
|
||||
};
|
||||
|
||||
mkService = name:
|
||||
{ source, dest, owner, group, permissions, ... }: {
|
||||
description = "decrypt secret for ${name}";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
||||
script = with pkgs; ''
|
||||
rm -rf ${dest}
|
||||
"${rage}"/bin/rage -d -i /etc/ssh/ssh_host_ed25519_key -o '${dest}' '${
|
||||
mkSecretOnDisk name { inherit source; }
|
||||
}'
|
||||
|
||||
chown '${owner}':'${group}' '${dest}'
|
||||
chmod '${permissions}' '${dest}'
|
||||
'';
|
||||
};
|
||||
in {
|
||||
options.ashe.secrets = mkOption {
|
||||
type = types.attrsOf secret;
|
||||
description = "secret configuration";
|
||||
default = { };
|
||||
};
|
||||
|
||||
config.systemd.services = let
|
||||
units = mapAttrs' (name: info: {
|
||||
name = "${name}-key";
|
||||
value = (mkService name info);
|
||||
}) cfg;
|
||||
in units;
|
||||
}
|
@ -0,0 +1,5 @@
|
||||
[hosts.nyx]
|
||||
ssh_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKTVdnCh9h2ZC8LBAJ3IJeySYkDGSQ2qCEjtLd9YQxA"
|
||||
|
||||
[hosts.hemera]
|
||||
ssh_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPr/d9gdfRThT8M+sr+Z7t25qCFnh+bnHob3+8RUXUPm"
|
Loading…
Reference in New Issue