From 1a7188052f235fb632700478fad0108e4306107d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Fri, 10 May 2019 14:56:43 +0200
Subject: Move secrets module outside of nixops

---
 modules/default.nix |  1 +
 modules/myids.nix   |  3 +++
 modules/secrets.nix | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+)
 create mode 100644 modules/secrets.nix

(limited to 'modules')

diff --git a/modules/default.nix b/modules/default.nix
index fa67144..4445c55 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,5 +1,6 @@
 {
   myids = ./myids.nix;
+  secrets = ./secrets.nix;
 
   mediagoblin = ./webapps/mediagoblin.nix;
   peertube = ./webapps/peertube.nix;
diff --git a/modules/myids.nix b/modules/myids.nix
index bd6caf3..8f74425 100644
--- a/modules/myids.nix
+++ b/modules/myids.nix
@@ -1,12 +1,15 @@
 { ... }:
 {
+  # Check that there is no clash with nixos/modules/misc/ids.nix
   config = {
     ids.uids = {
       peertube = 394;
+      nullmailer = 396;
       mediagoblin = 397;
     };
     ids.gids = {
       peertube = 394;
+      nullmailer = 396;
       mediagoblin = 397;
     };
   };
diff --git a/modules/secrets.nix b/modules/secrets.nix
new file mode 100644
index 0000000..b282e56
--- /dev/null
+++ b/modules/secrets.nix
@@ -0,0 +1,61 @@
+{ lib, pkgs, config, ... }:
+{
+  options.secrets = {
+    keys = lib.mkOption {
+      type = lib.types.listOf lib.types.unspecified;
+      default = [];
+      description = "Keys to upload to server";
+    };
+    location = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/secrets";
+      description = "Location where to put the keys";
+    };
+  };
+  config = let
+    location = config.secrets.location;
+    keys = config.secrets.keys;
+    empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
+    dumpKey = v: ''
+        mkdir -p secrets/$(dirname ${v.dest})
+        echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest}
+        cat >> mods <<EOF
+        ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
+        EOF
+        '';
+    secrets = pkgs.runCommand "secrets.tar" {} ''
+      touch mods
+      tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
+      ${builtins.concatStringsSep "\n" (map dumpKey keys)}
+      cat mods | while read u g p k; do
+      tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
+      done
+      '';
+  in lib.mkIf (builtins.length keys > 0) {
+    system.activationScripts.secrets = {
+      deps = [ "users" "wrappers" ];
+      text = ''
+        install -m0750 -o root -g keys -d ${location}
+        if [ -f /run/keys/secrets.tar ]; then
+          if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then
+            echo "rebuilding secrets"
+            rm -rf ${location}
+            install -m0750 -o root -g keys -d ${location}
+            ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar
+            sha512sum /run/keys/secrets.tar > ${location}/currentSecrets
+            find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+          fi
+        fi
+        '';
+    };
+    deployment.keys."secrets.tar" = {
+      permissions = "0400";
+      # keyFile below is not evaluated at build time by nixops, so the
+      # `secrets` path doesn’t necessarily exist when uploading the
+      # keys, and nixops is unhappy.
+      user = "root${builtins.substring 10000 1 secrets}";
+      group = "root";
+      keyFile = "${secrets}";
+    };
+  };
+}
-- 
cgit v1.2.3