Add xe age secrets config

8 months ago · 65f96aa5af
parent 26bc4eeb60
commit 65f96aa5af
4 changed files with 93 additions and 0 deletions
--- a/common/secrets.nix
+++ b/common/secrets.nix
@ -0,0 +1,86 @@
+# based on https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix
+{ pkgs, config, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.ashe.secrets;
+
+  secret = types.submodule {
+    options = {
+      source = mkOption {
+        type = types.path;
+        description = "local secret path";
+      };
+
+      dest = mkOption {
+        type = types.str;
+        description = "where to write the decrypted secret to";
+      };
+
+      owner = mkOption {
+        default = "root";
+        type = types.str;
+        description = "who should own the secret";
+      };
+
+      group = mkOption {
+        default = "root";
+        type = types.str;
+        description = "what group should own the secret";
+      };
+
+      permissions = mkOption {
+        default = "0400";
+        type = types.str;
+        description = "Permissions expressed as octal.";
+      };
+    };
+  };
+
+  metadata = lib.importTOML ../hosts/metadata/hosts.toml;
+
+  mkSecretOnDisk = name:
+    { source, ... }:
+    pkgs.stdenv.mkDerivation {
+      name = "${name}-secret";
+      phases = "installPhase";
+      buildInputs = [ pkgs.rage ];
+      installPhase =
+        let key = metadata.hosts."${config.networking.hostName}".ssh_pubkey;
+        in ''
+          rage -a -r '${key}' -o "$out" '${source}'
+        '';
+    };
+
+  mkService = name:
+    { source, dest, owner, group, permissions, ... }: {
+      description = "decrypt secret for ${name}";
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig.Type = "oneshot";
+
+      script = with pkgs; ''
+        rm -rf ${dest}
+        "${rage}"/bin/rage -d -i /etc/ssh/ssh_host_ed25519_key -o '${dest}' '${
+          mkSecretOnDisk name { inherit source; }
+        }'
+
+        chown '${owner}':'${group}' '${dest}'
+        chmod '${permissions}' '${dest}'
+      '';
+    };
+in {
+  options.ashe.secrets = mkOption {
+    type = types.attrsOf secret;
+    description = "secret configuration";
+    default = { };
+  };
+
+  config.systemd.services = let
+    units = mapAttrs' (name: info: {
+      name = "${name}-key";
+      value = (mkService name info);
+    }) cfg;
+  in units;
+}
--- a/hosts/hemera/configuration.nix
+++ b/hosts/hemera/configuration.nix
@ -5,6 +5,7 @@
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../../common/tailscale.nix
+      ../../common/secrets.nix
    ];

  nix.settings.experimental-features = [ "nix-command" "flakes" ];
--- a/hosts/metadata/hosts.toml
+++ b/hosts/metadata/hosts.toml
@ -0,0 +1,5 @@
+[hosts.nyx]
+ssh_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKTVdnCh9h2ZC8LBAJ3IJeySYkDGSQ2qCEjtLd9YQxA"
+
+[hosts.hemera]
+ssh_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPr/d9gdfRThT8M+sr+Z7t25qCFnh+bnHob3+8RUXUPm"
--- a/hosts/nyx/configuration.nix
+++ b/hosts/nyx/configuration.nix
@ -7,6 +7,7 @@
    ../../common/network.nix
    ../../common/user.nix
    ../../common/tailscale.nix
+    ../../common/secrets.nix
  ];

  nix.settings.experimental-features = [ "nix-command" "flakes" ];