nixos: Fix secrets in containers

2022-04-18 15:34:08 +01:00
parent a817c7e23a
commit 91e3e55077
5 changed files with 32 additions and 11 deletions
--- a/nixos/containers/vaultwarden.nix
+++ b/nixos/containers/vaultwarden.nix
@@ -17,6 +17,7 @@
            server.enable = true;

            secrets = {
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMHoWhafCkLVggsO24fFWm3nmkY5t23GHbBafBVGijbQ";
              files."${vwSecrets}" = {};
            };

--- a/nixos/modules/containers.nix
+++ b/nixos/modules/containers.nix
@@ -245,6 +245,12 @@ in
                (u: ''install -d -o ${u.name} -g ${u.group} /nix/var/nix/{profiles,gcroots}/per-user/"${u.name}"'') users;
          deps = [ "users" "groups" ];
        };
+
+        # age requires all keys to at least exist, even if they're not going to be used
+        ensureDevKey.text =
+        ''
+          [ ! -e "${devVMKeyPath}" ] && touch "${devVMKeyPath}"
+        '';
      };

      networking = {
--- a/nixos/modules/secrets.nix
+++ b/nixos/modules/secrets.nix
@@ -1,4 +1,4 @@
-{ lib, config, secretsPath, ... }:
+{ lib, pkgs, config, secretsPath, ... }:
 let
  inherit (builtins) mapAttrs;
  inherit (lib) mkMerge mkIf;
@@ -15,10 +15,22 @@ in

  config = mkMerge [
    {
-      age.secrets = mapAttrs (f: opts: {
-        file = "${secretsPath}/${f}.age";
-      } // opts) cfg.files;
+      age = {
+        secrets = mapAttrs (f: opts: {
+          file = "${secretsPath}/${f}.age";
+        } // opts) cfg.files;
+        # agenix sets this as a default but adding any custom extras will _replace_ the list (different priority)
+        identityPaths =
+          mkIf config.services.openssh.enable
+          (map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys));
+      };
    }
+    (mkIf (config.age.secrets != { }) {
+        system.activationScripts.agenixMountSecrets.deps = mkIf (config.my.tmproot.persistence.dir != null) [
+          # The key used to decrypt is not going to exist!
+          "persist-files"
+        ];
+    })
    (mkIf config.my.build.isDevVM {
      age.identityPaths = [ cfg.vmKeyPath ];
    })
--- a/secrets/test.txt.age
+++ b/secrets/test.txt.age
--- a/secrets/vaultwarden.env.age
+++ b/secrets/vaultwarden.env.age
@@ -1,8 +1,10 @@
 age-encryption.org/v1
-> X25519 Lm6m9mqSeFYvQ3bo73i9KrAzADgWLRcxmUg31JwqgWw
-FXbd6LUIA9OlCiMb1Us3T3/RkbQbxWD3pZ77/y3UuDM
-> C3L/E-grease -7Y+*Gh
-UEBPiPpYXfbZltNeUQrX4ahsDakgciN6sSLLHkPsX69oGtLuGRQeoDC6tvEtG2Ws
-wJEX57JORoAWfZsUtF0Oj+hN++ANcCm1andG45Yf
--- 1Pr1sAqpDFUZBGe97NYMyN3AEgv/EJgBl9DK4Ga93oc
-<03>֔<1A>0<EFBFBD><30>`LVo<56>\<5C><>oХ<><D0A5>y<12><>m<EFBFBD><1E><>n^<5E><><EFBFBD><1D>r|Q@<40><><EFBFBD>q{<14>օf<><66><EFBFBD><EFBFBD>ϋ<){uc<12>u<EFBFBD><75>ޖ<EFBFBD><DE96>H<15><><EFBFBD><03>!U+7FYhh<68>W<EFBFBD><57>k<EFBFBD><6B>;RO<52>
+-> ssh-ed25519 LLxJog 98Cn1x2SC2HTaIxiz3YOig69A4M9EdyzgFIuLVVksWs
+TQfDxjzQd2b6QxXFX+erhFr+rXueFM/0OiuqLlLIDNo
+-> X25519 9X4Sj6LOvqid3yw/K4U4STf0+49sNr7mLRgO5gPJWkE
+tHci1YGnwAYY0POj7fCRpZoXMlF2GJ3+tD8+18RVG3A
+-> @<\}-grease U= <+9u} SWZKY{
+1MbcuWlKJ2vXC1ZHgSzSxTZUr3rvMs5c2IEMM60mFLmwWkfGSOO1z/7ldsUK7cSe
+abf7c/qMFE/92zIiMScnjwvIub6riV+llgJnMi26cn9IAPPcHA
+--- TkbUNAVf3Xq9oEpQIK/db8uVTMc7DlUIXE6If+IQbyE
+fK<EFBFBD><EFBFBD>&E<>ϲ<EFBFBD>43&j <20><><EFBFBD>AT<41><54><EFBFBD><EFBFBD><EFBFBD>k<EFBFBD><6B><EFBFBD><EFBFBD>AQ}F<><46><EFBFBD><18><><EFBFBD>}<7D>d<EFBFBD><64><EFBFBD>kdp<>:<05>}@S{f<>I<EFBFBD>A@{X <20><>p<><70>e־<><D6BE>}_y*f<><66><EFBFBD>/<><EFBFBD><7F>m<EFBFBD><6D><0E><0C><>