modules/secrets.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

{ lib, pkgs, config, ... }:
{
  options.secrets = {
    keys = lib.mkOption {
      type = lib.types.listOf lib.types.unspecified;
      default = [];
      description = "Keys to upload to server";
    };
    gpgKeys = lib.mkOption {
      type = lib.types.listOf lib.types.path;
      default = [];
      description = "GPG public keys files to encrypt to";
    };
    ageKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [];
      description = "AGE keys to encrypt to";
    };
    decryptKey = lib.mkOption {
      type = lib.types.str;
      default = "/etc/ssh/ssh_host_ed25519_key";
      description = "ed25519 key used to decrypt with AGE";
    };
    location = lib.mkOption {
      type = lib.types.path;
      default = "/var/secrets";
      description = "Location where to put the keys";
    };
    secretsVars = lib.mkOption {
      type = lib.types.path;
      default = "/run/keys/vars.yml";
      description = "Location where the secrets variables are defined, to be used to fill the templates in secrets";
    };
    deleteSecretsVars = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "Delete secrets file after deployment";
    };
    # Read-only variables
    fullPaths = lib.mkOption {
      type = lib.types.attrsOf lib.types.path;
      default = builtins.listToAttrs
        (map (v: { name = v.dest; value = "${config.secrets.location}/${v.dest}"; }) config.secrets.keys);
      readOnly = true;
      description = "set of full paths to secrets";
    };
  };

  config = let
    location = config.secrets.location;
    keys = config.secrets.keys;
    empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
    fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}";
    dumpKey = v: ''
        mkdir -p secrets/$(dirname ${v.dest})
        echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v}
        cat >> mods <<EOF
        ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} ${fpath v}
        EOF
        '';
    secrets = pkgs.runCommand "secrets.tar.enc" {
      buildInputs = [ pkgs.gnupg pkgs.sops ];
      } ''
      touch mods
      tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
      ${builtins.concatStringsSep "\n" (map dumpKey keys)}
      cat mods | while read u g p k; do
      tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
      done
      export HOME=$(pwd)
      fingerprints=
      for key in ${builtins.concatStringsSep " " config.secrets.gpgKeys}; do
        gpg --import $key 2>/dev/null
        fingerprints=$fingerprints,$(cat $key | gpg --with-colons --import-options show-only --import 2>/dev/null | grep ^fpr | cut -d: -f10 | head -n1)
      done

      sops --age ${builtins.concatStringsSep "," config.secrets.ageKeys} --pgp ''${fingerprints#,} --input-type binary -i -e $out 2>/dev/null
      '';
  in lib.mkIf (builtins.length keys > 0) {
    system.activationScripts.secrets = {
      deps = [ "users" "wrappers" ];
      text = ''
        install -m0750 -o root -g keys -d ${location}
        TMP=$(${pkgs.coreutils}/bin/mktemp -d)
        TMPWORK=$(${pkgs.coreutils}/bin/mktemp -d)
        chmod go-rwx $TMPWORK
        if [ -n "$TMP" -a -n "$TMPWORK" ]; then
          install -m0750 -o root -g keys -d $TMP
          ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i ${config.secrets.decryptKey} -o $TMPWORK/keys.txt
          SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${secrets} | ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -x
          if [ -f ${config.secrets.secretsVars} ]; then
            SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${config.secrets.secretsVars} > $TMPWORK/vars.yml
          fi
          if [ -f $TMPWORK/vars.yml ]; then
            find $TMP -name "*.gucci.tpl" -exec \
              /bin/sh -c 'f="{}"; ${pkgs.gucci}/bin/gucci -f '$TMPWORK'/vars.yml "$f" > "''${f%.gucci.tpl}"; touch --reference "$f" ''${f%.gucci.tpl} ; chmod --reference="$f" ''${f%.gucci.tpl} ; chown --reference="$f" ''${f%.gucci.tpl}' \;
          fi
          find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
          ${pkgs.rsync}/bin/rsync --exclude="*.gucci.tpl" -O -c -av --delete $TMP/ ${location}
          rm -rf $TMP $TMPWORK ${lib.optionalString config.secrets.deleteSecretsVars config.secrets.secretsVars}
        fi
        '';
    };

    deployment.secrets."secret_vars.yml" = {
      source = builtins.toString ../nixops/secrets/vars.yml;
      destination = config.secrets.secretsVars;
      owner.user = "root";
      owner.group = "root";
      permissions = "0400";
     };
  };
}