modules/localsecrets/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

{ config, pkgs, lib, ... }:
let
  types = lib.types;
  cfg = config.localsecrets;

  keyOpts = {name, ...}: {
    options = {
      generator = lib.mkOption {
        type = types.either types.str types.path;
        default = "";
      };

      privateDir = lib.mkOption {
        type = types.str;
        default = "/var/lib/${cfg.stateDir}/private/${name}";
      };

      publicDir = lib.mkOption {
        type = types.str;
        default = "/var/lib/${cfg.stateDir}/public/${name}";
      };

      mode = lib.mkOption {
        type = types.str;
        default = "0700";
      };

      user = lib.mkOption {
        type = types.str;
        default = "root";
      };

      group = lib.mkOption {
        type = types.str;
        default = "root";
      };
    };
  };
in
{
  options = {
    localsecrets = {
      enable = lib.mkEnableOption "Deploy localsecrets";

      stateDir = lib.mkOption {
        type = types.str;
        default = "localsecrets";
      };

      secrets = lib.mkOption {
        type = types.attrsOf (types.submodule keyOpts);
        default = [];
      };
    };
  };

  config = lib.mkIf cfg.enable {
    systemd.services.localsecrets-generate = {
      description = "Generate local secrets";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];

      serviceConfig = {
        StateDirectory = cfg.stateDir;
      };

      script = ''
          umask 0022
          mkdir -p $STATE_DIRECTORY/private
          mkdir -p $STATE_DIRECTORY/public
        '' + (lib.concatStringsSep "\n" (lib.mapAttrsToList
          (name: secret:
            let
              runtimeDirectory="secret-${name}";
            in ''
            systemd-run \
             --wait \
             -p DynamicUser=true \
             -p RuntimeDirectory=${runtimeDirectory} \
             -p RuntimeDirectoryMode=${secret.mode} \
             -p RuntimeDirectoryPreserve=true \
             -p WorkingDirectory=/run/${runtimeDirectory} \
             -p PrivateTmp=true \
             ${pkgs.bash}/bin/bash -c '${secret.generator}'

            rm -rf "${secret.privateDir}" || true
            chown "${secret.user}:${secret.group}" "/run/${runtimeDirectory}/private"
            chmod "${secret.mode}" "/run/${runtimeDirectory}/private"
            mv "/run/${runtimeDirectory}/private" "${secret.privateDir}"

            rm -rf "${secret.publicDir}" || true
            mv "/run/${runtimeDirectory}/public" "${secret.publicDir}"
           '') cfg.secrets));
    };
  };
}