From 282c67a117b7d349b30a96972b050d630f906dec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Thu, 7 Oct 2021 15:17:30 +0200 Subject: Refactor secrets handling --- modules/private/buildbot/default.nix | 2 +- modules/private/databases/default.nix | 2 +- modules/private/environment.nix | 25 +++++++--- modules/private/system.nix | 7 ++- modules/private/system/backup-2.nix | 5 +- modules/private/system/dilion.nix | 11 +++-- modules/private/system/eldiron.nix | 5 +- modules/private/system/monitoring-1.nix | 5 +- modules/private/system/quatresaisons.nix | 5 +- modules/secrets.nix | 83 +++++++++++++++++++++----------- 10 files changed, 98 insertions(+), 52 deletions(-) (limited to 'modules') diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix index ac34845..ea0bef6 100644 --- a/modules/private/buildbot/default.nix +++ b/modules/private/buildbot/default.nix @@ -138,7 +138,7 @@ in permissions = "0600"; user = "buildbot"; group = "buildbot"; - text = builtins.readFile "${config.myEnv.privateFiles}/buildbot_ssh_key"; + text = config.myEnv.buildbot.ssh_key.private; dest = "buildbot/ssh_key"; } ]; diff --git a/modules/private/databases/default.nix b/modules/private/databases/default.nix index 6cd6feb..1241658 100644 --- a/modules/private/databases/default.nix +++ b/modules/private/databases/default.nix @@ -25,7 +25,7 @@ in }; openldap = { - accessFile = "${config.myEnv.privateFiles}/ldap.conf"; + accessFile = ../../../nixops/secrets/ldap.conf; baseDn = config.myEnv.ldap.base; rootDn = config.myEnv.ldap.root_dn; rootPw = config.myEnv.ldap.root_pw; diff --git a/modules/private/environment.nix b/modules/private/environment.nix index f0af572..65d9f0a 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix @@ -805,6 +805,15 @@ in description = "Buildbot configuration"; type = submodule { options = { + ssh_key = mkOption { + description = "SSH key information"; + type = submodule { + options = { + public = mkOption { type = str; description = "Public part of the key"; }; + private = mkOption { type = lines; description = "Private part of the key"; }; + }; + }; + }; workerPassword = mkOption { description = "Buildbot worker password"; type = str; }; user = mkOption { description = "Buildbot user"; @@ -961,6 +970,15 @@ in type = submodule { options = { ldap = mkLdapOptions "Gitolite" {}; + ssh_key = mkOption { + description = "SSH key information"; + type = submodule { + options = { + public = mkOption { type = str; description = "Public part of the key"; }; + private = mkOption { type = lines; description = "Private part of the key"; }; + }; + }; + }; }; }; }; @@ -1461,13 +1479,6 @@ in }; }; }; - - privateFiles = mkOption { - type = path; - description = '' - Path to secret files to make available during build - ''; - }; }; options.hostEnv = mkOption { readOnly = true; diff --git a/modules/private/system.nix b/modules/private/system.nix index 0e72d99..c7e277c 100644 --- a/modules/private/system.nix +++ b/modules/private/system.nix @@ -4,7 +4,12 @@ networking.extraHosts = builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes); - users.extraUsers.root.openssh.authorizedKeys.keyFiles = [ "${config.myEnv.privateFiles}/id_ed25519.pub" ]; + users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ]; + secrets.deleteSecretsVars = true; + secrets.gpgKeys = [ + ../../nixops/public_keys/Immae.pub + ]; + services.openssh.enable = true; services.duplyBackup.profiles.system = { diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix index d1064c7..1f226c0 100644 --- a/modules/private/system/backup-2.nix +++ b/modules/private/system/backup-2.nix @@ -1,4 +1,3 @@ -{ privateFiles }: { config, pkgs, resources, name, ... }: { deployment = { @@ -6,8 +5,10 @@ targetHost = config.hostEnv.ips.main.ip4; substituteOnDestination = true; }; + # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age + secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ]; boot.kernelPackages = pkgs.linuxPackages_latest; - myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; + myEnv = import ../../../nixops/secrets/environment.nix; imports = [ ] ++ builtins.attrValues (import ../..); diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix index a59d607..b9be8b0 100644 --- a/modules/private/system/dilion.nix +++ b/modules/private/system/dilion.nix @@ -1,4 +1,3 @@ -{ privateFiles }: { config, pkgs, name, lib, ... }: { deployment = { @@ -6,6 +5,8 @@ targetHost = config.hostEnv.ips.main.ip4; substituteOnDestination = true; }; + # ssh-keyscan dilion | nix-shell -p ssh-to-age --run ssh-to-age + secrets.ageKeys = [ "age1x49n6qa0arkdpq8530s7umgm0gqkq90exv4jep97q30rfnzknpaqate06a" ]; nixpkgs.system = lib.mkOverride 900 "x86_64-linux"; boot = { loader = { @@ -31,7 +32,7 @@ powerManagement.cpuFreqGovernor = "powersave"; hardware.enableRedistributableFirmware = true; - myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; + myEnv = import ../../../nixops/secrets/environment.nix; swapDevices = [ { label = "swap"; } ]; fileSystems = { @@ -88,10 +89,10 @@ isSystemUser = true; group = "libvirtd"; packages = [ pkgs.netcat-openbsd ]; - openssh.authorizedKeys.keyFiles = [ - "${privateFiles}/buildbot_ssh_key.pub" + openssh.authorizedKeys.keys = [ + config.myEnv.buildbot.ssh_key.public + config.myEnv.sshd.rootKeys.ismael_flony ]; - openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.ismael_flony ]; }; users.users.backup = { diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix index 4fb18a0..6c570c8 100644 --- a/modules/private/system/eldiron.nix +++ b/modules/private/system/eldiron.nix @@ -1,4 +1,3 @@ -{ privateFiles }: { config, pkgs, lib, ... }: { deployment = { @@ -6,6 +5,8 @@ targetHost = config.hostEnv.ips.main.ip4; substituteOnDestination = true; }; + # ssh-keyscan eldiron | nix-shell -p ssh-to-age --run ssh-to-age + secrets.ageKeys = [ "age1dxr5lhvtnjssfaqpnf6qx80h8gfwkxg3tdf35m6n9wljmk7wadfs3kmahj" ]; boot = { kernelModules = [ "kvm-intel" ]; blacklistedKernelModules = [ "nvidiafb" ]; @@ -28,7 +29,7 @@ ''; nix.maxJobs = 8; powerManagement.cpuFreqGovernor = "powersave"; - myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; + myEnv = import ../../../nixops/secrets/environment.nix; fileSystems = { # pools: diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix index 2198d09..e335080 100644 --- a/modules/private/system/monitoring-1.nix +++ b/modules/private/system/monitoring-1.nix @@ -1,4 +1,3 @@ -{ privateFiles }: { config, pkgs, resources, ... }: { deployment = { @@ -6,8 +5,10 @@ targetHost = config.hostEnv.ips.main.ip4; substituteOnDestination = true; }; + # ssh-keyscan monitoring-1 | nix-shell -p ssh-to-age --run ssh-to-age + secrets.ageKeys = [ "age1dn4lzhgxusqrpjjnzm7w8ml39ptf326htuzmpqdqs2gg3wq7cqzqxuvx8k" ]; boot.kernelPackages = pkgs.linuxPackages_latest; - myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; + myEnv = import ../../../nixops/secrets/environment.nix; imports = [ ] ++ builtins.attrValues (import ../..); diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix index 03446e7..0148650 100644 --- a/modules/private/system/quatresaisons.nix +++ b/modules/private/system/quatresaisons.nix @@ -1,4 +1,3 @@ -{ privateFiles }: { config, pkgs, lib, ... }: let serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; @@ -164,6 +163,8 @@ in targetHost = config.hostEnv.ips.main.ip4; substituteOnDestination = true; }; + # ssh-keyscan quatresaison | nix-shell -p ssh-to-age --run ssh-to-age + secrets.ageKeys = [ "age1yz8u6xvh2fltvyp96ep8crce3qx4tuceyhun6pwddfe0uvcrkarscxl7e7" ]; programs.ssh.package = pkgs.openssh.overrideAttrs(old: { PATH_PASSWD_PROG = "/run/wrappers/bin/passwd"; @@ -173,7 +174,7 @@ in imports = builtins.attrValues (import ../..) ++ [ ./quatresaisons/nextcloud.nix ./quatresaisons/databases.nix ]; - myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; + myEnv = import ../../../nixops/secrets/environment.nix; fileSystems = { "/" = { device = "/dev/disk/by-uuid/865931b4-c5cc-439f-8e42-8072c7a30634"; fsType = "ext4"; }; diff --git a/modules/secrets.nix b/modules/secrets.nix index ecc1ebc..86d276a 100644 --- a/modules/secrets.nix +++ b/modules/secrets.nix @@ -6,11 +6,36 @@ default = []; description = "Keys to upload to server"; }; + gpgKeys = lib.mkOption { + type = lib.types.listOf lib.types.path; + default = []; + description = "GPG public keys files to encrypt to"; + }; + ageKeys = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = []; + description = "AGE keys to encrypt to"; + }; + decryptKey = lib.mkOption { + type = lib.types.str; + default = "/etc/ssh/ssh_host_ed25519_key"; + description = "ed25519 key used to decrypt with AGE"; + }; location = lib.mkOption { type = lib.types.path; default = "/var/secrets"; description = "Location where to put the keys"; }; + secretsVars = lib.mkOption { + type = lib.types.path; + default = "/run/keys/vars.yml"; + description = "Location where the secrets variables are defined, to be used to fill the templates in secrets"; + }; + deleteSecretsVars = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Delete secrets file after deployment"; + }; # Read-only variables fullPaths = lib.mkOption { type = lib.types.attrsOf lib.types.path; @@ -33,56 +58,56 @@ ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} ${fpath v} EOF ''; - secrets = pkgs.runCommand "secrets.tar" {} '' + secrets = pkgs.runCommand "secrets.tar.enc" { + buildInputs = [ pkgs.gnupg pkgs.sops ]; + } '' touch mods tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done ${builtins.concatStringsSep "\n" (map dumpKey keys)} cat mods | while read u g p k; do tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k" done + export HOME=$(pwd) + fingerprints= + for key in ${builtins.concatStringsSep " " config.secrets.gpgKeys}; do + gpg --import $key 2>/dev/null + fingerprints=$fingerprints,$(cat $key | gpg --with-colons --import-options show-only --import 2>/dev/null | grep ^fpr | cut -d: -f10 | head -n1) + done + + sops --age ${builtins.concatStringsSep "," config.secrets.ageKeys} --pgp ''${fingerprints#,} --input-type binary -i -e $out 2>/dev/null ''; in lib.mkIf (builtins.length keys > 0) { system.activationScripts.secrets = { deps = [ "users" "wrappers" ]; text = '' install -m0750 -o root -g keys -d ${location} - if [ -f /run/keys/secrets.tar ]; then - if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then - echo "rebuilding secrets" - TMP=$(${pkgs.coreutils}/bin/mktemp -d) - if [ -n "$TMP" ]; then - install -m0750 -o root -g keys -d $TMP - ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -xf /run/keys/secrets.tar - if [ -f /run/keys/vars.yml ]; then - find $TMP -name "*.gucci.tpl" -exec \ - /bin/sh -c 'f="{}"; ${pkgs.gucci}/bin/gucci -f /run/keys/vars.yml "$f" > "''${f%.gucci.tpl}"; touch --reference "$f" ''${f%.gucci.tpl} ; chmod --reference="$f" ''${f%.gucci.tpl} ; chown --reference="$f" ''${f%.gucci.tpl}' \; - sha512sum /run/keys/secrets.tar /run/keys/vars.yml > $TMP/currentSecrets - else - sha512sum /run/keys/secrets.tar > $TMP/currentSecrets - fi - find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \; - ${pkgs.rsync}/bin/rsync --exclude="*.gucci.tpl" -O -c -av --delete $TMP/ ${location} - rm -rf $TMP - fi + TMP=$(${pkgs.coreutils}/bin/mktemp -d) + TMPWORK=$(${pkgs.coreutils}/bin/mktemp -d) + chmod go-rwx $TMPWORK + if [ -n "$TMP" -a -n "$TMPWORK" ]; then + install -m0750 -o root -g keys -d $TMP + ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i ${config.secrets.decryptKey} -o $TMPWORK/keys.txt + SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${secrets} | ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -x + if [ -f ${config.secrets.secretsVars} ]; then + SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${config.secrets.secretsVars} > $TMPWORK/vars.yml fi + if [ -f $TMPWORK/vars.yml ]; then + find $TMP -name "*.gucci.tpl" -exec \ + /bin/sh -c 'f="{}"; ${pkgs.gucci}/bin/gucci -f '$TMPWORK'/vars.yml "$f" > "''${f%.gucci.tpl}"; touch --reference "$f" ''${f%.gucci.tpl} ; chmod --reference="$f" ''${f%.gucci.tpl} ; chown --reference="$f" ''${f%.gucci.tpl}' \; + fi + find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \; + ${pkgs.rsync}/bin/rsync --exclude="*.gucci.tpl" -O -c -av --delete $TMP/ ${location} + rm -rf $TMP $TMPWORK ${lib.optionalString config.secrets.deleteSecretsVars config.secrets.secretsVars} fi ''; }; - system.extraDependencies = [ secrets ]; deployment.secrets."secret_vars.yml" = { - source = builtins.toString ; - destination = "/run/keys/vars.yml"; + source = builtins.toString ../nixops/secrets/vars.yml; + destination = config.secrets.secretsVars; owner.user = "root"; owner.group = "root"; permissions = "0400"; }; - deployment.secrets."secrets.tar" = { - source = "${secrets}"; - destination = "/run/keys/secrets.tar"; - owner.user = "root"; - owner.group = "root"; - permissions = "0400"; - }; }; } -- cgit v1.2.3