Move secrets module outside of nixops

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-10 14:56:43 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-10 14:56:43 +0200
commit: 1a7188052f235fb632700478fad0108e4306107d (patch)
tree: 046b43c711a161190e99953c709cd69aaa49b724 /modules
parent: d42bbbe6f510fce233ecb66d44d205761390b56e (diff)
download: Nix-1a7188052f235fb632700478fad0108e4306107d.tar.gz
Nix-1a7188052f235fb632700478fad0108e4306107d.tar.zst
Nix-1a7188052f235fb632700478fad0108e4306107d.zip
3 files changed, 65 insertions, 0 deletions
diff --git a/modules/default.nix b/modules/default.nix
index fa67144..4445c55 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,5 +1,6 @@
 {
  myids = ./myids.nix;
+  secrets = ./secrets.nix;
  mediagoblin = ./webapps/mediagoblin.nix;
  peertube = ./webapps/peertube.nix;
diff --git a/modules/myids.nix b/modules/myids.nix
index bd6caf3..8f74425 100644
--- a/modules/myids.nix
+++ b/modules/myids.nix
@@ -1,12 +1,15 @@
 { ... }:
 {
+  # Check that there is no clash with nixos/modules/misc/ids.nix
  config = {
    ids.uids = {
      peertube = 394;
+      nullmailer = 396;
      mediagoblin = 397;
    };
    ids.gids = {
      peertube = 394;
+      nullmailer = 396;
      mediagoblin = 397;
    };
  };
diff --git a/modules/secrets.nix b/modules/secrets.nix
new file mode 100644
index 0000000..b282e56
--- /dev/null
+++ b/modules/secrets.nix
@@ -0,0 +1,61 @@
+{ lib, pkgs, config, ... }:
+{
+  options.secrets = {
+    keys = lib.mkOption {
+      type = lib.types.listOf lib.types.unspecified;
+      default = [];
+      description = "Keys to upload to server";
+    };
+    location = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/secrets";
+      description = "Location where to put the keys";
+    };
+  };
+  config = let
+    location = config.secrets.location;
+    keys = config.secrets.keys;
+    empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
+    dumpKey = v: ''
+        mkdir -p secrets/$(dirname ${v.dest})
+        echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest}
+        cat >> mods <<EOF
+        ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
+        EOF
+        '';
+    secrets = pkgs.runCommand "secrets.tar" {} ''
+      touch mods
+      tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
+      ${builtins.concatStringsSep "\n" (map dumpKey keys)}
+      cat mods | while read u g p k; do
+      tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
+      done
+      '';
+  in lib.mkIf (builtins.length keys > 0) {
+    system.activationScripts.secrets = {
+      deps = [ "users" "wrappers" ];
+      text = ''
+        install -m0750 -o root -g keys -d ${location}
+        if [ -f /run/keys/secrets.tar ]; then
+          if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then
+            echo "rebuilding secrets"
+            rm -rf ${location}
+            install -m0750 -o root -g keys -d ${location}
+            ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar
+            sha512sum /run/keys/secrets.tar > ${location}/currentSecrets
+            find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+          fi
+        fi
+        '';
+    };
+    deployment.keys."secrets.tar" = {
+      permissions = "0400";
+      # keyFile below is not evaluated at build time by nixops, so the
+      # `secrets` path doesn’t necessarily exist when uploading the
+      # keys, and nixops is unhappy.
+      user = "root${builtins.substring 10000 1 secrets}";
+      group = "root";
+      keyFile = "${secrets}";
+    };
+  };
+}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-10 14:56:43 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-10 14:56:43 +0200
commit	1a7188052f235fb632700478fad0108e4306107d (patch)
tree	046b43c711a161190e99953c709cd69aaa49b724 /modules
parent	d42bbbe6f510fce233ecb66d44d205761390b56e (diff)
download	Nix-1a7188052f235fb632700478fad0108e4306107d.tar.gz Nix-1a7188052f235fb632700478fad0108e4306107d.tar.zst Nix-1a7188052f235fb632700478fad0108e4306107d.zip

diff --git a/modules/default.nix b/modules/default.nix index fa67144..4445c55 100644 --- a/modules/default.nix +++ b/modules/default.nix
@@ -1,5 +1,6 @@
1	{	1	{
2	myids = ./myids.nix;	2	myids = ./myids.nix;
		3	secrets = ./secrets.nix;
3		4
4	mediagoblin = ./webapps/mediagoblin.nix;	5	mediagoblin = ./webapps/mediagoblin.nix;
5	peertube = ./webapps/peertube.nix;	6	peertube = ./webapps/peertube.nix;


diff --git a/modules/myids.nix b/modules/myids.nix index bd6caf3..8f74425 100644 --- a/modules/myids.nix +++ b/modules/myids.nix
@@ -1,12 +1,15 @@
1	{ ... }:	1	{ ... }:
2	{	2	{
		3	# Check that there is no clash with nixos/modules/misc/ids.nix
3	config = {	4	config = {
4	ids.uids = {	5	ids.uids = {
5	peertube = 394;	6	peertube = 394;
		7	nullmailer = 396;
6	mediagoblin = 397;	8	mediagoblin = 397;
7	};	9	};
8	ids.gids = {	10	ids.gids = {
9	peertube = 394;	11	peertube = 394;
		12	nullmailer = 396;
10	mediagoblin = 397;	13	mediagoblin = 397;
11	};	14	};
12	};	15	};


diff --git a/modules/secrets.nix b/modules/secrets.nix new file mode 100644 index 0000000..b282e56 --- /dev/null +++ b/modules/secrets.nix
@@ -0,0 +1,61 @@
		1	{ lib, pkgs, config, ... }:
		2	{
		3	options.secrets = {
		4	keys = lib.mkOption {
		5	type = lib.types.listOf lib.types.unspecified;
		6	default = [];
		7	description = "Keys to upload to server";
		8	};
		9	location = lib.mkOption {
		10	type = lib.types.path;
		11	default = "/var/secrets";
		12	description = "Location where to put the keys";
		13	};
		14	};
		15	config = let
		16	location = config.secrets.location;
		17	keys = config.secrets.keys;
		18	empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
		19	dumpKey = v: ''
		20	mkdir -p secrets/$(dirname ${v.dest})
		21	echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest}
		22	cat >> mods <<EOF
		23	${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
		24	EOF
		25	'';
		26	secrets = pkgs.runCommand "secrets.tar" {} ''
		27	touch mods
		28	tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
		29	${builtins.concatStringsSep "\n" (map dumpKey keys)}
		30	cat mods \| while read u g p k; do
		31	tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
		32	done
		33	'';
		34	in lib.mkIf (builtins.length keys > 0) {
		35	system.activationScripts.secrets = {
		36	deps = [ "users" "wrappers" ];
		37	text = ''
		38	install -m0750 -o root -g keys -d ${location}
		39	if [ -f /run/keys/secrets.tar ]; then
		40	if [ ! -f ${location}/currentSecrets ] \|\| ! sha512sum -c --status "${location}/currentSecrets"; then
		41	echo "rebuilding secrets"
		42	rm -rf ${location}
		43	install -m0750 -o root -g keys -d ${location}
		44	${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar
		45	sha512sum /run/keys/secrets.tar > ${location}/currentSecrets
		46	find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
		47	fi
		48	fi
		49	'';
		50	};
		51	deployment.keys."secrets.tar" = {
		52	permissions = "0400";
		53	# keyFile below is not evaluated at build time by nixops, so the
		54	# `secrets` path doesn’t necessarily exist when uploading the
		55	# keys, and nixops is unhappy.
		56	user = "root${builtins.substring 10000 1 secrets}";
		57	group = "root";
		58	keyFile = "${secrets}";
		59	};
		60	};
		61	}