aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--nixops/eldiron.nix1
-rw-r--r--nixops/modules/secrets/default.nix68
2 files changed, 69 insertions, 0 deletions
diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index 5e0227d..a85b9de 100644
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -43,6 +43,7 @@
43 ./modules/irc 43 ./modules/irc
44 ./modules/buildbot 44 ./modules/buildbot
45 ./modules/dns 45 ./modules/dns
46 ./modules/secrets
46 ]; 47 ];
47 services.myGitolite.enable = true; 48 services.myGitolite.enable = true;
48 services.myDatabases.enable = true; 49 services.myDatabases.enable = true;
diff --git a/nixops/modules/secrets/default.nix b/nixops/modules/secrets/default.nix
new file mode 100644
index 0000000..7096e48
--- /dev/null
+++ b/nixops/modules/secrets/default.nix
@@ -0,0 +1,68 @@
1{ lib, pkgs, config, myconfig, mylibs, ... }:
2{
3 options.mySecrets = {
4 keys = lib.mkOption {
5 type = lib.types.listOf lib.types.unspecified;
6 default = {};
7 description = "Keys to upload to server";
8 };
9 };
10 config = let
11 oldkeys = lib.attrsets.filterAttrs (n: v: n != "secrets.tar") config.deployment.keys;
12 keys = config.mySecrets.keys;
13 empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
14 dumpOldKey = k: v: let
15 dest = if v.destDir == "/run/keys"
16 then k
17 else (builtins.replaceStrings ["/run/keys/"] [""] v.destDir) + "/" + k;
18 in ''
19 mkdir -p secrets/$(dirname ${dest})
20 echo -n ${lib.strings.escapeShellArg v.text} > secrets/${dest}
21 cat >> mods <<EOF
22 ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${dest}
23 EOF
24 '';
25 dumpKey = v: ''
26 mkdir -p secrets/$(dirname ${v.dest})
27 echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest}
28 cat >> mods <<EOF
29 ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
30 EOF
31 '';
32 secrets = pkgs.runCommand "secrets.tar" {} ''
33 touch mods
34 tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
35 ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList dumpOldKey oldkeys)}
36 ${builtins.concatStringsSep "\n" (map dumpKey keys)}
37 cat mods | while read u g p k; do
38 tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
39 done
40 '';
41 in {
42 system.activationScripts.secrets = {
43 deps = [ "users" "wrappers" ];
44 text = ''
45 install -m0750 -o root -g keys -d /var/secrets
46 if [ -f /run/keys/secrets.tar ]; then
47 if [ ! -f /var/secrets/currentSecrets ] || ! sha512sum -c --status "/var/secrets/currentSecrets"; then
48 echo "rebuilding secrets"
49 rm -rf /var/secrets
50 install -m0750 -o root -g keys -d /var/secrets
51 ${pkgs.gnutar}/bin/tar --strip-components 1 -C /var/secrets -xf /run/keys/secrets.tar
52 sha512sum /run/keys/secrets.tar > /var/secrets/currentSecrets
53 find /var/secrets -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
54 fi
55 fi
56 '';
57 };
58 deployment.keys."secrets.tar" = {
59 permissions = "0400";
60 # keyFile below is not evaluated at build time by nixops, so the
61 # `secrets` path doesn’t necessarily exist when uploading the
62 # keys, and nixops is unhappy.
63 user = "root${builtins.substring 10000 1 secrets}";
64 group = "root";
65 keyFile = "${secrets}";
66 };
67 };
68}