nixos: Fix secrets in containers

2022-04-18 15:34:08 +01:00 · 2022-04-18 15:34:08 +01:00 · 91e3e55077
commit 91e3e55077
parent a817c7e23a
5 changed files with 32 additions and 11 deletions
--- a/nixos/containers/vaultwarden.nix
+++ b/nixos/containers/vaultwarden.nix
@ -17,6 +17,7 @@
            server.enable = true;

            secrets = {
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMHoWhafCkLVggsO24fFWm3nmkY5t23GHbBafBVGijbQ";
              files."${vwSecrets}" = {};
            };

--- a/nixos/modules/containers.nix
+++ b/nixos/modules/containers.nix
@ -245,6 +245,12 @@ in
                (u: ''install -d -o ${u.name} -g ${u.group} /nix/var/nix/{profiles,gcroots}/per-user/"${u.name}"'') users;
          deps = [ "users" "groups" ];
        };
+
+        # age requires all keys to at least exist, even if they're not going to be used
+        ensureDevKey.text =
+        ''
+          [ ! -e "${devVMKeyPath}" ] && touch "${devVMKeyPath}"
+        '';
      };

      networking = {
--- a/nixos/modules/secrets.nix
+++ b/nixos/modules/secrets.nix
@ -1,4 +1,4 @@
-{ lib, config, secretsPath, ... }:
+{ lib, pkgs, config, secretsPath, ... }:
 let
  inherit (builtins) mapAttrs;
  inherit (lib) mkMerge mkIf;
@ -15,10 +15,22 @@ in

  config = mkMerge [
    {
-      age.secrets = mapAttrs (f: opts: {
-        file = "${secretsPath}/${f}.age";
-      } // opts) cfg.files;
+      age = {
+        secrets = mapAttrs (f: opts: {
+          file = "${secretsPath}/${f}.age";
+        } // opts) cfg.files;
+        # agenix sets this as a default but adding any custom extras will _replace_ the list (different priority)
+        identityPaths =
+          mkIf config.services.openssh.enable
+          (map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys));
+      };
    }
+    (mkIf (config.age.secrets != { }) {
+        system.activationScripts.agenixMountSecrets.deps = mkIf (config.my.tmproot.persistence.dir != null) [
+          # The key used to decrypt is not going to exist!
+          "persist-files"
+        ];
+    })
    (mkIf config.my.build.isDevVM {
      age.identityPaths = [ cfg.vmKeyPath ];
    })
--- a/secrets/test.txt.age
+++ b/secrets/test.txt.age
--- a/secrets/vaultwarden.env.age
+++ b/secrets/vaultwarden.env.age
@ -1,8 +1,10 @@
 age-encryption.org/v1
-> X25519 Lm6m9mqSeFYvQ3bo73i9KrAzADgWLRcxmUg31JwqgWw
-FXbd6LUIA9OlCiMb1Us3T3/RkbQbxWD3pZ77/y3UuDM
-> C3L/E-grease -7Y+*Gh
-UEBPiPpYXfbZltNeUQrX4ahsDakgciN6sSLLHkPsX69oGtLuGRQeoDC6tvEtG2Ws
-wJEX57JORoAWfZsUtF0Oj+hN++ANcCm1andG45Yf
--- 1Pr1sAqpDFUZBGe97NYMyN3AEgv/EJgBl9DK4Ga93oc
-•Ö”’0˜ü`LVoÖ\åÃoÐ¥ëÜyÍýmèÃÃn^Ä×ûär|Q@†µáq{ÄÖ…f¬ƒéîÏ‹<){ucÈu–<75>Þ–ÅÆH¾ð<C2BE>»!U+7FYhh°W¶ÅkˆÐ;RO¶
+-> ssh-ed25519 LLxJog 98Cn1x2SC2HTaIxiz3YOig69A4M9EdyzgFIuLVVksWs
+TQfDxjzQd2b6QxXFX+erhFr+rXueFM/0OiuqLlLIDNo
+-> X25519 9X4Sj6LOvqid3yw/K4U4STf0+49sNr7mLRgO5gPJWkE
+tHci1YGnwAYY0POj7fCRpZoXMlF2GJ3+tD8+18RVG3A
+-> @<\}-grease U= <+9u} SWZKY{
+1MbcuWlKJ2vXC1ZHgSzSxTZUr3rvMs5c2IEMM60mFLmwWkfGSOO1z/7ldsUK7cSe
+abf7c/qMFE/92zIiMScnjwvIub6riV+llgJnMi26cn9IAPPcHA
+--- TkbUNAVf3Xq9oEpQIK/db8uVTMc7DlUIXE6If+IQbyE
+fK“¦&E÷Ï²ª43&j Ó×äATÃêÜâîk‰ ˆ¬AQ}FÊëÇáúÙ}èd±žškdpŽ:ó}@S{fºIúA@{X ÝÍpÛÞeÖ¾ç‹}_y*fü¯Ó/â»œmñžÙ©õ