nixos: Fix secrets in containers

2022-04-18 15:34:08 +01:00
parent a817c7e23a
commit 91e3e55077
5 changed files with 32 additions and 11 deletions
--- a/nixos/modules/containers.nix
+++ b/nixos/modules/containers.nix
@@ -245,6 +245,12 @@ in
                (u: ''install -d -o ${u.name} -g ${u.group} /nix/var/nix/{profiles,gcroots}/per-user/"${u.name}"'') users;
          deps = [ "users" "groups" ];
        };
+
+        # age requires all keys to at least exist, even if they're not going to be used
+        ensureDevKey.text =
+        ''
+          [ ! -e "${devVMKeyPath}" ] && touch "${devVMKeyPath}"
+        '';
      };

      networking = {
--- a/nixos/modules/secrets.nix
+++ b/nixos/modules/secrets.nix
@@ -1,4 +1,4 @@
-{ lib, config, secretsPath, ... }:
+{ lib, pkgs, config, secretsPath, ... }:
 let
  inherit (builtins) mapAttrs;
  inherit (lib) mkMerge mkIf;
@@ -15,10 +15,22 @@ in

  config = mkMerge [
    {
-      age.secrets = mapAttrs (f: opts: {
-        file = "${secretsPath}/${f}.age";
-      } // opts) cfg.files;
+      age = {
+        secrets = mapAttrs (f: opts: {
+          file = "${secretsPath}/${f}.age";
+        } // opts) cfg.files;
+        # agenix sets this as a default but adding any custom extras will _replace_ the list (different priority)
+        identityPaths =
+          mkIf config.services.openssh.enable
+          (map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys));
+      };
    }
+    (mkIf (config.age.secrets != { }) {
+        system.activationScripts.agenixMountSecrets.deps = mkIf (config.my.tmproot.persistence.dir != null) [
+          # The key used to decrypt is not going to exist!
+          "persist-files"
+        ];
+    })
    (mkIf config.my.build.isDevVM {
      age.identityPaths = [ cfg.vmKeyPath ];
    })