Add secret support
This commit is contained in:
parent
ac31486f6b
commit
8c61cea30d
1
.gitignore
vendored
1
.gitignore
vendored
@ -2,3 +2,4 @@
|
|||||||
result*
|
result*
|
||||||
/.vms/*
|
/.vms/*
|
||||||
!/.vms/.gitkeep
|
!/.vms/.gitkeep
|
||||||
|
/.keys/*.key
|
||||||
|
|||||||
0
.keys/.gitkeep
Normal file
0
.keys/.gitkeep
Normal file
1
.keys/deploy.pub
Normal file
1
.keys/deploy.pub
Normal file
@ -0,0 +1 @@
|
|||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAzBEJKVa7WFxY5EOqcxP1b+hrJiaPggFzJx8dlFAmug nixfiles-deploy
|
||||||
1
.keys/dev.pub
Normal file
1
.keys/dev.pub
Normal file
@ -0,0 +1 @@
|
|||||||
|
age1lm7la8qmu3rx89yvtdqz0m9l3fr96vf4nsqg6tpsv8yskzw7zgtqwt8lmu
|
||||||
@ -35,6 +35,12 @@ in
|
|||||||
help = "Remove home-manager flake.nix link";
|
help = "Remove home-manager flake.nix link";
|
||||||
command = "rm -f ${homeFlake}";
|
command = "rm -f ${homeFlake}";
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
name = "agenix";
|
||||||
|
category = "utilities";
|
||||||
|
help = pkgs.agenix.meta.description;
|
||||||
|
command = ''exec ${pkgs.agenix}/bin/agenix --identity "$PRJ_ROOT/.keys/dev.key" "$@"'';
|
||||||
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
name = "fmt";
|
name = "fmt";
|
||||||
|
|||||||
@ -18,7 +18,7 @@ in
|
|||||||
packages = with pkgs; [
|
packages = with pkgs; [
|
||||||
coreutils
|
coreutils
|
||||||
nixVersions.stable
|
nixVersions.stable
|
||||||
agenix
|
rage
|
||||||
deploy-rs.deploy-rs
|
deploy-rs.deploy-rs
|
||||||
home-manager
|
home-manager
|
||||||
];
|
];
|
||||||
|
|||||||
@ -107,6 +107,8 @@
|
|||||||
inherit lib pkgsFlakes hmFlakes inputs;
|
inherit lib pkgsFlakes hmFlakes inputs;
|
||||||
pkgs' = configPkgs';
|
pkgs' = configPkgs';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
nixos.secretsPath = ./secrets;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Not an internal part of the module system apparently, but it doesn't have any dependencies other than lib
|
# Not an internal part of the module system apparently, but it doesn't have any dependencies other than lib
|
||||||
@ -120,9 +122,8 @@
|
|||||||
in
|
in
|
||||||
# Platform independent stuff
|
# Platform independent stuff
|
||||||
{
|
{
|
||||||
lib = lib.my;
|
|
||||||
nixpkgs = pkgs';
|
nixpkgs = pkgs';
|
||||||
inherit nixfiles;
|
inherit lib nixfiles;
|
||||||
|
|
||||||
nixosModules = nixfiles.config.nixos.modules;
|
nixosModules = nixfiles.config.nixos.modules;
|
||||||
homeModules = nixfiles.config.home-manager.modules;
|
homeModules = nixfiles.config.home-manager.modules;
|
||||||
|
|||||||
@ -27,7 +27,7 @@ in
|
|||||||
ssh = {
|
ssh = {
|
||||||
authKeys = {
|
authKeys = {
|
||||||
literal = mkOpt' (listOf singleLineStr) [ ] "List of OpenSSH keys to allow";
|
literal = mkOpt' (listOf singleLineStr) [ ] "List of OpenSSH keys to allow";
|
||||||
files = mkOpt' (listOf str) [ ] "List of OpenSSH key files to allow";
|
files = mkOpt' (listOf path) [ ] "List of OpenSSH key files to allow";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -226,7 +226,7 @@ in
|
|||||||
})
|
})
|
||||||
(mkIf config.my.isStandalone {
|
(mkIf config.my.isStandalone {
|
||||||
my = {
|
my = {
|
||||||
ssh.authKeys.files = [ lib.my.authorizedKeys ];
|
ssh.authKeys.files = [ lib.my.sshKeyFiles.me ];
|
||||||
};
|
};
|
||||||
|
|
||||||
fonts.fontconfig.enable = true;
|
fonts.fontconfig.enable = true;
|
||||||
|
|||||||
5
lib.nix
5
lib.nix
@ -132,5 +132,8 @@ rec {
|
|||||||
filterOpts = filterAttrsRecursive (_: v: v != null);
|
filterOpts = filterAttrsRecursive (_: v: v != null);
|
||||||
};
|
};
|
||||||
|
|
||||||
authorizedKeys = toString ./authorized_keys;
|
sshKeyFiles = {
|
||||||
|
me = .keys/me.pub;
|
||||||
|
deploy = .keys/deploy.key;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@ -13,6 +13,11 @@
|
|||||||
imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
|
imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
|
||||||
|
|
||||||
my = {
|
my = {
|
||||||
|
secrets = {
|
||||||
|
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkqdN5t3UKwrNOOPKlbnG1WYhnkV5H9luAzMotr8SbT";
|
||||||
|
files."test.txt" = {};
|
||||||
|
};
|
||||||
|
|
||||||
firewall = {
|
firewall = {
|
||||||
trustedInterfaces = [ "blah" ];
|
trustedInterfaces = [ "blah" ];
|
||||||
nat = {
|
nat = {
|
||||||
|
|||||||
@ -52,6 +52,7 @@ let
|
|||||||
];
|
];
|
||||||
|
|
||||||
_module.args = {
|
_module.args = {
|
||||||
|
inherit (cfg) secretsPath;
|
||||||
pkgs' = allPkgs;
|
pkgs' = allPkgs;
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -121,6 +122,7 @@ in
|
|||||||
|
|
||||||
options = with lib.types; {
|
options = with lib.types; {
|
||||||
nixos = {
|
nixos = {
|
||||||
|
secretsPath = mkOpt' path null "Path to encrypted secret files.";
|
||||||
modules = mkOpt' (attrsOf commonOpts.moduleType) { } "NixOS modules to be exported by nixfiles.";
|
modules = mkOpt' (attrsOf commonOpts.moduleType) { } "NixOS modules to be exported by nixfiles.";
|
||||||
systems = mkOpt' (attrsOf (submodule systemOpts)) { } "NixOS systems to be exported by nixfiles.";
|
systems = mkOpt' (attrsOf (submodule systemOpts)) { } "NixOS systems to be exported by nixfiles.";
|
||||||
};
|
};
|
||||||
|
|||||||
@ -33,7 +33,7 @@
|
|||||||
environment.sessionVariables = {
|
environment.sessionVariables = {
|
||||||
INSTALL_ROOT = installRoot;
|
INSTALL_ROOT = installRoot;
|
||||||
};
|
};
|
||||||
users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.authorizedKeys ];
|
users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.deploy ];
|
||||||
home-manager.users.root = {
|
home-manager.users.root = {
|
||||||
programs = {
|
programs = {
|
||||||
starship.settings = {
|
starship.settings = {
|
||||||
|
|||||||
@ -8,5 +8,6 @@
|
|||||||
firewall = ./firewall.nix;
|
firewall = ./firewall.nix;
|
||||||
server = ./server.nix;
|
server = ./server.nix;
|
||||||
deploy-rs = ./deploy-rs.nix;
|
deploy-rs = ./deploy-rs.nix;
|
||||||
|
secrets = ./secrets.nix;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@ -10,7 +10,7 @@ in
|
|||||||
options.my.deploy = with lib.types; {
|
options.my.deploy = with lib.types; {
|
||||||
authorizedKeys = {
|
authorizedKeys = {
|
||||||
keys = mkOpt' (listOf singleLineStr) [ ] "SSH public keys to add to the default deployment user.";
|
keys = mkOpt' (listOf singleLineStr) [ ] "SSH public keys to add to the default deployment user.";
|
||||||
keyFiles = mkOpt' (listOf str) [ ] "SSH public key files to add to the default deployment user.";
|
keyFiles = mkOpt' (listOf path) [ lib.my.sshKeyFiles.deploy ] "SSH public key files to add to the default deployment user.";
|
||||||
};
|
};
|
||||||
|
|
||||||
enable = mkBoolOpt' true "Whether to expose deploy-rs configuration for this system.";
|
enable = mkBoolOpt' true "Whether to expose deploy-rs configuration for this system.";
|
||||||
|
|||||||
17
nixos/modules/secrets.nix
Normal file
17
nixos/modules/secrets.nix
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{ lib, config, secretsPath, ... }:
|
||||||
|
let
|
||||||
|
inherit (builtins) mapAttrs;
|
||||||
|
inherit (lib.my) mkOpt';
|
||||||
|
|
||||||
|
cfg = config.my.secrets;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.my.secrets = with lib.types; {
|
||||||
|
key = mkOpt' (nullOr str) null "Public key that secrets for this system should be encrypted for.";
|
||||||
|
files = mkOpt' (attrsOf unspecified) { } "Secrets to decrypt with agenix.";
|
||||||
|
};
|
||||||
|
|
||||||
|
config.age.secrets = mapAttrs (f: opts: {
|
||||||
|
file = "${secretsPath}/${f}.age";
|
||||||
|
} // opts) cfg.files;
|
||||||
|
}
|
||||||
@ -35,14 +35,12 @@ in
|
|||||||
shell =
|
shell =
|
||||||
let shell = cfg.homeConfig.my.shell;
|
let shell = cfg.homeConfig.my.shell;
|
||||||
in mkIf (shell != null) (mkDefault' shell);
|
in mkIf (shell != null) (mkDefault' shell);
|
||||||
openssh.authorizedKeys.keyFiles = [ lib.my.authorizedKeys ];
|
openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.me ];
|
||||||
};
|
};
|
||||||
# In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the
|
# In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the
|
||||||
# parent attr name) to be the users name, aka `home-manager.users.<name>`
|
# parent attr name) to be the users name, aka `home-manager.users.<name>`
|
||||||
homeConfig = { _module.args.name = lib.mkForce user'.name; };
|
homeConfig = { _module.args.name = lib.mkForce user'.name; };
|
||||||
};
|
};
|
||||||
|
|
||||||
deploy.authorizedKeys = mkDefault user'.openssh.authorizedKeys;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# mkAliasDefinitions will copy the unmerged defintions to allow the upstream submodule to deal with
|
# mkAliasDefinitions will copy the unmerged defintions to allow the upstream submodule to deal with
|
||||||
|
|||||||
24
secrets.nix
Normal file
24
secrets.nix
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
let
|
||||||
|
self = getFlake (toString ./.);
|
||||||
|
inherit (self) lib;
|
||||||
|
|
||||||
|
inherit (builtins) mapAttrs attrValues readFile getFlake;
|
||||||
|
inherit (lib) optional flatten zipAttrsWith nameValuePair mapAttrs';
|
||||||
|
|
||||||
|
secretPath = p: "secrets/${p}.age";
|
||||||
|
|
||||||
|
defaultKeys = [
|
||||||
|
(readFile .keys/dev.pub)
|
||||||
|
];
|
||||||
|
secretKeys =
|
||||||
|
zipAttrsWith
|
||||||
|
(_: keys: flatten (keys ++ defaultKeys))
|
||||||
|
(map
|
||||||
|
(c: let cfg = c.config.my.secrets; in mapAttrs'
|
||||||
|
(f: _: nameValuePair
|
||||||
|
(secretPath f)
|
||||||
|
(optional (cfg.key != null) cfg.key))
|
||||||
|
cfg.files)
|
||||||
|
(attrValues self.nixosConfigurations));
|
||||||
|
in
|
||||||
|
mapAttrs (_: keys: { publicKeys = keys; }) secretKeys
|
||||||
BIN
secrets/test.txt.age
Normal file
BIN
secrets/test.txt.age
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user