From 4284fa63ef36632af1e08501162e3e19bb049b3b Mon Sep 17 00:00:00 2001 From: Kjetil Orbekk Date: Mon, 22 Mar 2021 09:16:44 -0400 Subject: Add syncer package to generate secrets remotely --- flake.nix | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 80 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 51a4f78..466d2b0 100644 --- a/flake.nix +++ b/flake.nix @@ -11,6 +11,76 @@ nixosModules.localsecrets = import ./modules/localsecrets; + lib = rec { + writeSecret = { pkgs, name, secret }: + let + runtimeDirectory="secret-${name}"; + in '' + systemd-run \ + --wait \ + -p DynamicUser=true \ + -p RuntimeDirectory=${runtimeDirectory} \ + -p RuntimeDirectoryMode=${secret.mode} \ + -p RuntimeDirectoryPreserve=true \ + -p WorkingDirectory=/run/${runtimeDirectory} \ + -p PrivateTmp=true \ + ${pkgs.bash}/bin/bash -c '${secret.generator}' + + rm -rf "${secret.privateDir}" || true + chown "${secret.user}:${secret.group}" "/run/${runtimeDirectory}/private" + chmod "${secret.mode}" "/run/${runtimeDirectory}/private" + mv "/run/${runtimeDirectory}/private" "${secret.privateDir}" + + rm -rf "${secret.publicDir}" || true + mv "/run/${runtimeDirectory}/public" "${secret.publicDir}" + ''; + + writeSecrets = nixosConfiguration: + let + pkgs = nixosConfiguration.pkgs; + cfg = nixosConfiguration.config.localsecrets; + lib = pkgs.lib; + in pkgs.writeScriptBin "write-secrets" '' + umask 0022 + mkdir -p /var/lib/${cfg.stateDir}/public + mkdir -p /var/lib/${cfg.stateDir}/private + + ${lib.concatStringsSep "\n" (lib.mapAttrsToList + (name: secret: writeSecret { + inherit pkgs name secret; + }) cfg.secrets)} + ''; + + makeSyncerPackages = + { nixosConfigurations, sshAccessor }: + forAllSystems (system: + let + pkgs = import nixpkgs { inherit system; }; + syncConfig = nixosConfiguration: + let + generator = writeSecrets nixosConfiguration; + in '' + nix copy -s --to ssh://${sshAccessor nixosConfiguration} ${generator} + ssh ${sshAccessor nixosConfiguration} ${generator}/bin/write-secrets + ''; + in { + localsecrets-syncer = pkgs.writeScriptBin "localsecrets-syncer" '' + echo "Starting sync..." + ${pkgs.lib.concatMapStrings syncConfig nixosConfigurations} + echo "Done" + ''; + } + ); + }; + + packages = self.lib.makeSyncerPackages { + nixosConfigurations = builtins.attrValues self.nixosConfigurations; + sshAccessor = nixosConfiguration: + let + host = nixosConfiguration.config.networking.hostName; + in "root@dragon.orbekk.com"; + }; + checks = forAllSystems (system: { test = let @@ -51,9 +121,17 @@ system = "x86_64-linux"; modules = [ self.nixosModules.localsecrets - ({...}: + ({lib, pkgs, ...}: { - localsecrets.secrets = [ "my-test-secret" ]; + localsecrets.secrets.test-secret = { + generator = pkgs.writeScript "test-secret.sh" '' + #! ${pkgs.bash}/bin/bash + PATH=${lib.makeBinPath (with pkgs; [ coreutils ])} + mkdir -p private public + echo hello > private/key.private + echo world > public/key.public + ''; + }; boot.isContainer = true; } ) -- cgit v1.2.3