Add syncer package to generate secrets remotelyHEADmain

1 files changed, 80 insertions, 2 deletions

diff --git a/flake.nix b/flake.nix
index 51a4f78..466d2b0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,6 +11,76 @@
 
     nixosModules.localsecrets = import ./modules/localsecrets;
 
+    lib = rec {
+      writeSecret = { pkgs, name, secret }:
+        let
+          runtimeDirectory="secret-${name}";
+        in ''
+          systemd-run \
+            --wait \
+            -p DynamicUser=true \
+            -p RuntimeDirectory=${runtimeDirectory} \
+            -p RuntimeDirectoryMode=${secret.mode} \
+            -p RuntimeDirectoryPreserve=true \
+            -p WorkingDirectory=/run/${runtimeDirectory} \
+            -p PrivateTmp=true \
+            ${pkgs.bash}/bin/bash -c '${secret.generator}'
+
+          rm -rf "${secret.privateDir}" || true
+          chown "${secret.user}:${secret.group}" "/run/${runtimeDirectory}/private"
+          chmod "${secret.mode}" "/run/${runtimeDirectory}/private"
+          mv "/run/${runtimeDirectory}/private" "${secret.privateDir}"
+
+          rm -rf "${secret.publicDir}" || true
+          mv "/run/${runtimeDirectory}/public" "${secret.publicDir}"
+        '';
+
+      writeSecrets = nixosConfiguration:
+        let
+          pkgs = nixosConfiguration.pkgs;
+          cfg = nixosConfiguration.config.localsecrets;
+          lib = pkgs.lib;
+        in pkgs.writeScriptBin "write-secrets" ''
+            umask 0022
+            mkdir -p /var/lib/${cfg.stateDir}/public
+            mkdir -p /var/lib/${cfg.stateDir}/private
+
+            ${lib.concatStringsSep "\n" (lib.mapAttrsToList
+              (name: secret: writeSecret {
+                inherit pkgs name secret;
+              }) cfg.secrets)}
+          '';
+
+      makeSyncerPackages =
+        { nixosConfigurations, sshAccessor }:
+        forAllSystems (system:
+          let
+            pkgs = import nixpkgs { inherit system; };
+            syncConfig = nixosConfiguration:
+              let
+                generator = writeSecrets nixosConfiguration;
+              in ''
+                nix copy -s --to ssh://${sshAccessor nixosConfiguration} ${generator}
+                ssh ${sshAccessor nixosConfiguration} ${generator}/bin/write-secrets
+              '';
+          in {
+            localsecrets-syncer = pkgs.writeScriptBin "localsecrets-syncer" ''
+              echo "Starting sync..."
+              ${pkgs.lib.concatMapStrings syncConfig nixosConfigurations}
+              echo "Done"
+            '';
+          }
+        );
+    };
+
+    packages = self.lib.makeSyncerPackages {
+      nixosConfigurations = builtins.attrValues self.nixosConfigurations;
+      sshAccessor = nixosConfiguration:
+        let
+          host = nixosConfiguration.config.networking.hostName;
+        in "root@dragon.orbekk.com";
+    };
+
     checks = forAllSystems (system: {
       test =
         let
@@ -51,9 +121,17 @@
         system = "x86_64-linux";
         modules = [
           self.nixosModules.localsecrets
-          ({...}:
+          ({lib, pkgs, ...}:
             {
-              localsecrets.secrets = [ "my-test-secret" ];
+              localsecrets.secrets.test-secret = {
+                generator = pkgs.writeScript "test-secret.sh" ''
+                  #! ${pkgs.bash}/bin/bash
+                  PATH=${lib.makeBinPath (with pkgs; [ coreutils ])}
+                  mkdir -p private public
+                  echo hello > private/key.private
+                  echo world > public/key.public
+                '';
+              };
               boot.isContainer = true;
             }
           )