nixfiles/nixos/modules/secrets.nix

{ lib, pkgs, config, secretsPath, ... }:
let
  inherit (builtins) mapAttrs;
  inherit (lib) mkMerge mkIf mkDefault;
  inherit (lib.my) mkOpt';

  cfg = config.my.secrets;
in
{
  options.my.secrets = with lib.types; {
    vmKeyPath = mkOpt' str "/tmp/xchg/dev.key" "Path to dev key when in a dev VM.";
    key = mkOpt' (nullOr str) null "Public key that secrets for this system should be encrypted for.";
    files = mkOpt' (attrsOf unspecified) { } "Secrets to decrypt with agenix.";
  };

  config = mkMerge [
    {
      age = {
        secretsDir = mkDefault "/run/secrets";
        secrets = mapAttrs (f: opts: {
          file = "${secretsPath}/${f}.age";
        } // opts) cfg.files;
        # agenix sets this as a default but adding any custom extras will _replace_ the list (different priority)
        identityPaths =
          mkIf config.services.openssh.enable
          (map
            # Use the persit dir to grab the keys instead, otherwise they might not be ready. We can't really make
            # agenix depend on impermanence, since users depends on agenix (to decrypt passwords) and impermanence
            # depends on users
            (e: let pDir = config.my.tmproot.persistence.dir; in if pDir != null then "${pDir}${e.path}" else e.path)
            (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys));
      };
    }
    (mkIf config.my.build.isDevVM {
      age.identityPaths = [ cfg.vmKeyPath ];
    })
  ];
}
nixos: Fix secrets in containers 2022-04-18 15:34:08 +01:00			`{ lib, pkgs, config, secretsPath, ... }:`
Add secret support 2022-02-22 00:59:57 +00:00			`let`
			`inherit (builtins) mapAttrs;`
nixos/secrets: Change runtime directory 2022-06-12 11:45:21 +01:00			`inherit (lib) mkMerge mkIf mkDefault;`
Add secret support 2022-02-22 00:59:57 +00:00			`inherit (lib.my) mkOpt';`

			`cfg = config.my.secrets;`
			`in`
			`{`
			`options.my.secrets = with lib.types; {`
Implement initial containers module 2022-03-26 14:20:30 +00:00			`vmKeyPath = mkOpt' str "/tmp/xchg/dev.key" "Path to dev key when in a dev VM.";`
Add secret support 2022-02-22 00:59:57 +00:00			`key = mkOpt' (nullOr str) null "Public key that secrets for this system should be encrypted for.";`
			`files = mkOpt' (attrsOf unspecified) { } "Secrets to decrypt with agenix.";`
			`};`

Add secrets support to dev VMs 2022-02-22 01:30:27 +00:00			`config = mkMerge [`
			`{`
nixos: Fix secrets in containers 2022-04-18 15:34:08 +01:00			`age = {`
nixos/secrets: Change runtime directory 2022-06-12 11:45:21 +01:00			`secretsDir = mkDefault "/run/secrets";`
nixos: Fix secrets in containers 2022-04-18 15:34:08 +01:00			`secrets = mapAttrs (f: opts: {`
			`file = "${secretsPath}/${f}.age";`
			`} // opts) cfg.files;`
			`# agenix sets this as a default but adding any custom extras will _replace_ the list (different priority)`
			`identityPaths =`
			`mkIf config.services.openssh.enable`
Initial networking VM Also general improvements around VMs 2022-05-16 00:05:02 +01:00			`(map`
			`# Use the persit dir to grab the keys instead, otherwise they might not be ready. We can't really make`
			`# agenix depend on impermanence, since users depends on agenix (to decrypt passwords) and impermanence`
			`# depends on users`
nixos/containers: Fix agenix being broken with no dev key 2022-06-11 01:33:56 +01:00			`(e: let pDir = config.my.tmproot.persistence.dir; in if pDir != null then "${pDir}${e.path}" else e.path)`
Initial networking VM Also general improvements around VMs 2022-05-16 00:05:02 +01:00			`(lib.filter (e: e.type == "rsa" \|\| e.type == "ed25519") config.services.openssh.hostKeys));`
nixos: Fix secrets in containers 2022-04-18 15:34:08 +01:00			`};`
Add secrets support to dev VMs 2022-02-22 01:30:27 +00:00			`}`
			`(mkIf config.my.build.isDevVM {`
Implement initial containers module 2022-03-26 14:20:30 +00:00			`age.identityPaths = [ cfg.vmKeyPath ];`
Add secrets support to dev VMs 2022-02-22 01:30:27 +00:00			`})`
			`];`
Add secret support 2022-02-22 00:59:57 +00:00			`}`