chore: implemented warning
This commit is contained in:
parent
6666d56b65
commit
06cc119912
|
@ -7,29 +7,30 @@ with nixpkgs.lib; let
|
|||
pkgs = import nixpkgs {inherit system;};
|
||||
|
||||
rekeyCommandForHost = hostName: hostAttrs: let
|
||||
secretPath = "/tmp/nix-rekey.d/${hostName}/";
|
||||
masterIdentities = strings.concatMapStrings (x: "-i ${x} ") hostAttrs.config.rekey.masterIdentityPaths;
|
||||
|
||||
pubKeyStr = let
|
||||
pubKey = hostAttrs.config.rekey.pubKey;
|
||||
in
|
||||
if isPath pubKey
|
||||
then readFile pubKey
|
||||
else pubKey;
|
||||
secretPath = "/tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/";
|
||||
|
||||
rekeyCommand = secretName: secretAttrs: let
|
||||
pubKeyStr = let
|
||||
key = hostAttrs.config.rekey.pubKey;
|
||||
in
|
||||
if isPath key
|
||||
then readFile key
|
||||
else key;
|
||||
in ''
|
||||
echo "Rekeying secret ${secretName} for host ${hostName}"
|
||||
echo "Rekeying secret ${secretName} for host ${hostName}"
|
||||
echo "${secretAttrs.file}"
|
||||
${pkgs.rage}/bin/rage ${masterIdentities} -d ${secretAttrs.file} \
|
||||
| ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e \
|
||||
|| { echo "[1;3mCould not rekey secrets. Inserting dummy values[m" \
|
||||
; echo "Invalide due to failure when rekeying." \
|
||||
| ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e ;}
|
||||
${pkgs.rage}/bin/rage ${masterIdentities} -d ${secretAttrs.file} \
|
||||
| ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e \
|
||||
|| { echo "[1;3mCould not rekey secrets. Inserting dummy values[m" \
|
||||
; echo "Invalide due to failure when rekeying." \
|
||||
| ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e ;}
|
||||
'';
|
||||
in
|
||||
if masterIdentities == ""
|
||||
then ''
|
||||
echo "[1;3mNo Identities set for host ${hostName}. Can not decrypt.\n\
|
||||
echo -e "[1;3mNo Identities set for host ${hostName}. Cannot decrypt.\n\
|
||||
Make sure you set 'config.rekey.masterIdentityPaths'[m"
|
||||
''
|
||||
else if
|
||||
|
@ -38,15 +39,12 @@ with nixpkgs.lib; let
|
|||
in
|
||||
isPath key && (! pathExists key)
|
||||
then ''
|
||||
echo "[1;3mNo public keys available for host ${hostName}. Can not decrypt.\n\
|
||||
echo -e "[1;3mNo public keys available for host ${hostName}. Can not decrypt.\n\
|
||||
Make sure the public keys are reachable by the building system'[m"
|
||||
''
|
||||
else ''
|
||||
mkdir -p ${secretPath}
|
||||
# TODO
|
||||
${concatStringsSep "\n" (mapAttrsToList rekeyCommand (hostAttrs.config.rekey.secrets))}
|
||||
|
||||
nix run --extra-sandbox-paths /tmp/nix-rekey.d/ "${../.}#rekey-copy-secrets"
|
||||
mkdir -p ${secretPath}
|
||||
${concatStringsSep "\n" (mapAttrsToList rekeyCommand (hostAttrs.config.rekey.secrets))}
|
||||
'';
|
||||
|
||||
rekeyScript = ''
|
||||
|
@ -54,15 +52,16 @@ with nixpkgs.lib; let
|
|||
|
||||
${concatStringsSep "\n" (mapAttrsToList rekeyCommandForHost self.nixosConfigurations)}
|
||||
|
||||
nix run --extra-sandbox-paths /tmp/nix-rekey.d/ "${../.}#rekey-copy-secrets"
|
||||
|
||||
'';
|
||||
|
||||
rekey-exe = pkgs.writeShellScript "rekey.sh" rekeyScript;
|
||||
|
||||
rekey-copy-secretsForHost = hostName: hostAttrs: let
|
||||
secretFiles = mapAttrsToList (_: x: x.file) hostAttrs.config.rekey.secrets;
|
||||
drv = import ../modules/rekey-drv.nix pkgs secretFiles;
|
||||
drv = import ../modules/rekey-drv.nix pkgs hostAttrs.config;
|
||||
in ''
|
||||
echo ${drv}
|
||||
echo "Copied secrets for ${hostName} to ${drv}"
|
||||
'';
|
||||
rekey-copy-secrets-exe = pkgs.writeShellScript "rekey-copy-secrets.sh" ''
|
||||
${concatStringsSep "\n" (mapAttrsToList rekey-copy-secretsForHost self.nixosConfigurations)}
|
||||
|
|
|
@ -39,6 +39,9 @@
|
|||
file = ./secrets/iwd/devolo-og.psk.age;
|
||||
path = "/etc/iwd/devolo-og.psk";
|
||||
};
|
||||
rekey.secrets.test = {
|
||||
file = ./secrets/test.age;
|
||||
};
|
||||
|
||||
networking.useNetworkd = true;
|
||||
networking.dhcpcd.enable = false;
|
||||
|
|
|
@ -1,20 +1,26 @@
|
|||
pkgs: secretFiles:
|
||||
(
|
||||
pkgs.stdenv.mkDerivation rec {
|
||||
pname = "host-secrets";
|
||||
version = "1";
|
||||
description = "Rekeyed secrets for this host";
|
||||
pkgs: config: (
|
||||
pkgs.stdenv.mkDerivation rec {
|
||||
pname = "host-secrets";
|
||||
version = "1";
|
||||
description = "Rekeyed secrets for this host";
|
||||
pubKeyStr = let
|
||||
pubKey = config.rekey.pubKey;
|
||||
in
|
||||
if builtins.isPath pubKey
|
||||
then builtins.readFile pubKey
|
||||
else pubKey;
|
||||
|
||||
srcs = secretFiles;
|
||||
sourceRoot = ".";
|
||||
secretFiles = pkgs.lib.mapAttrsToList (_: x: x.file) config.rekey.secrets;
|
||||
srcs = secretFiles;
|
||||
sourceRoot = ".";
|
||||
|
||||
dontMakeSourcesWriteable = true;
|
||||
dontUnpack = true;
|
||||
dontConfigure = true;
|
||||
dontBuild = true;
|
||||
dontMakeSourcesWriteable = true;
|
||||
dontUnpack = true;
|
||||
dontConfigure = true;
|
||||
dontBuild = true;
|
||||
|
||||
installPhase = ''
|
||||
cp -r /tmp/nix-rekey.d/ $out
|
||||
'';
|
||||
installPhase = ''
|
||||
cp -r /tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/. $out
|
||||
'';
|
||||
}
|
||||
)
|
||||
|
|
|
@ -8,17 +8,20 @@
|
|||
}: {
|
||||
config = with lib; let
|
||||
secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets;
|
||||
drv = import ./rekey-drv.nix pkgs secretFiles;
|
||||
drv = import ./rekey-drv.nix pkgs config;
|
||||
in
|
||||
mkIf (config.rekey.secrets != {}) {
|
||||
age = {
|
||||
secrets = let
|
||||
hostName = config.networking.hostName;
|
||||
secretPath = "${drv}/${hostName}/";
|
||||
secretPath = "${drv}/";
|
||||
newPath = x: "${secretPath}/${x}.age";
|
||||
in
|
||||
mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets;
|
||||
};
|
||||
warnings = optional (! pathExists (removeSuffix ".drv" drv.drvPath)) ''
|
||||
Rekeyed secrets not available.
|
||||
Maybe you forgot to run "nix run '.#rekey'" to rekey them?
|
||||
'';
|
||||
};
|
||||
|
||||
options = with lib; {
|
||||
|
|
12
secrets/test.age
Normal file
12
secrets/test.age
Normal file
|
@ -0,0 +1,12 @@
|
|||
age-encryption.org/v1
|
||||
-> X25519 6PjX+qZyPYWTisaNUryJ12t/CEOrfLd+K1/wyKGFixM
|
||||
S5IV+M+l5LleLoXM3SUDioBCJiaHcwZslERVj5L0ygE
|
||||
-> piv-p256 XTQkUA A1py15wjDt5uwgw2/s2/ueM2JMcT4RFMa+5fx+d2UhG8
|
||||
xIdD5DNoxvu3T0873Qv2hl9rHatWi4GhAGcWT/cxNE8
|
||||
-> piv-p256 ZFgiIw AsSMYe/35S/b3kTqriw9Ur2eg2iB8dDSt4qtFzbMqTMz
|
||||
WnBSoehEmLtX9SEawmQIxsV8dReZPJRNq5oSLH6UWSU
|
||||
-> bHCG/L-grease -|u
|
||||
77tuo6s/XdK97pc73YTUh/OShs4jX/01ODcQT/80LaoCI0bt+yVBIOwNPrLwHVIV
|
||||
iiqROaIIp+mRDQj6JUB7hlaPoiNJcfO6ozA
|
||||
--- 7W4CK2idSDKwMlYi/FmPZVLPZZKv+5nyp0mpysWXork
|
||||
ÅH\”úŽÅ‚úbwõŒÑžug+uU+Ñ‚?<3F>\)) Wï6æ}¥ÿ'öÌQH¹/'§ÅÐ><3E>
|
Loading…
Reference in a new issue