patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

chore: implemented warning

Browse source
This commit is contained in:
Patrick Großmann 2023-01-28 20:10:55 +01:00
parent 6666d56b65
commit 06cc119912
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
6 changed files with 65 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
apps/rekey.nix
View file

@ -7,29 +7,30 @@ with nixpkgs.lib; let
pkgs = import nixpkgs {inherit system;}; pkgs = import nixpkgs {inherit system;};
rekeyCommandForHost = hostName: hostAttrs: let rekeyCommandForHost = hostName: hostAttrs: let
secretPath = "/tmp/nix-rekey.d/${hostName}/";
masterIdentities = strings.concatMapStrings (x: "-i ${x} ") hostAttrs.config.rekey.masterIdentityPaths; masterIdentities = strings.concatMapStrings (x: "-i ${x} ") hostAttrs.config.rekey.masterIdentityPaths;
pubKeyStr = let
pubKey = hostAttrs.config.rekey.pubKey;
in
if isPath pubKey
then readFile pubKey
else pubKey;
secretPath = "/tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/";
rekeyCommand = secretName: secretAttrs: let rekeyCommand = secretName: secretAttrs: let
pubKeyStr = let
key = hostAttrs.config.rekey.pubKey;
in
if isPath key
then readFile key
else key;
in '' in ''
echo "Rekeying secret ${secretName} for host ${hostName}" echo "Rekeying secret ${secretName} for host ${hostName}"
echo "${secretAttrs.file}" echo "${secretAttrs.file}"
${pkgs.rage}/bin/rage ${masterIdentities} -d ${secretAttrs.file} \ ${pkgs.rage}/bin/rage ${masterIdentities} -d ${secretAttrs.file} \
| ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e \ | ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e \
|| { echo "Could not rekey secrets. Inserting dummy values" \ || { echo "Could not rekey secrets. Inserting dummy values" \
; echo "Invalide due to failure when rekeying." \ ; echo "Invalide due to failure when rekeying." \
| ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e ;} | ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e ;}
''; '';
in in
if masterIdentities == "" if masterIdentities == ""
then '' then ''
echo "No Identities set for host ${hostName}. Can not decrypt.\n\ echo -e "No Identities set for host ${hostName}. Cannot decrypt.\n\
Make sure you set 'config.rekey.masterIdentityPaths'" Make sure you set 'config.rekey.masterIdentityPaths'"
'' ''
else if else if
@ -38,15 +39,12 @@ with nixpkgs.lib; let
in in
isPath key && (! pathExists key) isPath key && (! pathExists key)
then '' then ''
echo "No public keys available for host ${hostName}. Can not decrypt.\n\ echo -e "No public keys available for host ${hostName}. Can not decrypt.\n\
Make sure the public keys are reachable by the building system'" Make sure the public keys are reachable by the building system'"
'' ''
else '' else ''
mkdir -p ${secretPath} mkdir -p ${secretPath}
# TODO ${concatStringsSep "\n" (mapAttrsToList rekeyCommand (hostAttrs.config.rekey.secrets))}
${concatStringsSep "\n" (mapAttrsToList rekeyCommand (hostAttrs.config.rekey.secrets))}
nix run --extra-sandbox-paths /tmp/nix-rekey.d/ "${../.}#rekey-copy-secrets"
''; '';
rekeyScript = '' rekeyScript = ''
@ -54,15 +52,16 @@ with nixpkgs.lib; let
${concatStringsSep "\n" (mapAttrsToList rekeyCommandForHost self.nixosConfigurations)} ${concatStringsSep "\n" (mapAttrsToList rekeyCommandForHost self.nixosConfigurations)}
nix run --extra-sandbox-paths /tmp/nix-rekey.d/ "${../.}#rekey-copy-secrets"
''; '';
rekey-exe = pkgs.writeShellScript "rekey.sh" rekeyScript; rekey-exe = pkgs.writeShellScript "rekey.sh" rekeyScript;
rekey-copy-secretsForHost = hostName: hostAttrs: let rekey-copy-secretsForHost = hostName: hostAttrs: let
secretFiles = mapAttrsToList (_: x: x.file) hostAttrs.config.rekey.secrets; drv = import ../modules/rekey-drv.nix pkgs hostAttrs.config;
drv = import ../modules/rekey-drv.nix pkgs secretFiles;
in '' in ''
echo ${drv} echo "Copied secrets for ${hostName} to ${drv}"
''; '';
rekey-copy-secrets-exe = pkgs.writeShellScript "rekey-copy-secrets.sh" '' rekey-copy-secrets-exe = pkgs.writeShellScript "rekey-copy-secrets.sh" ''
${concatStringsSep "\n" (mapAttrsToList rekey-copy-secretsForHost self.nixosConfigurations)} ${concatStringsSep "\n" (mapAttrsToList rekey-copy-secretsForHost self.nixosConfigurations)}

3
configuration.nix
View file

@ -39,6 +39,9 @@
file = ./secrets/iwd/devolo-og.psk.age; file = ./secrets/iwd/devolo-og.psk.age;
path = "/etc/iwd/devolo-og.psk"; path = "/etc/iwd/devolo-og.psk";
}; };
rekey.secrets.test = {
file = ./secrets/test.age;
};
networking.useNetworkd = true; networking.useNetworkd = true;
networking.dhcpcd.enable = false; networking.dhcpcd.enable = false;

36
modules/rekey-drv.nix
View file

@ -1,20 +1,26 @@
pkgs: secretFiles: pkgs: config: (
( pkgs.stdenv.mkDerivation rec {
pkgs.stdenv.mkDerivation rec { pname = "host-secrets";
pname = "host-secrets"; version = "1";
version = "1"; description = "Rekeyed secrets for this host";
description = "Rekeyed secrets for this host"; pubKeyStr = let
pubKey = config.rekey.pubKey;
in
if builtins.isPath pubKey
then builtins.readFile pubKey
else pubKey;
srcs = secretFiles; secretFiles = pkgs.lib.mapAttrsToList (_: x: x.file) config.rekey.secrets;
sourceRoot = "."; srcs = secretFiles;
sourceRoot = ".";
dontMakeSourcesWriteable = true; dontMakeSourcesWriteable = true;
dontUnpack = true; dontUnpack = true;
dontConfigure = true; dontConfigure = true;
dontBuild = true; dontBuild = true;
installPhase = '' installPhase = ''
cp -r /tmp/nix-rekey.d/ $out cp -r /tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/. $out
''; '';
} }
) )

9
modules/rekey.nix
View file

@ -8,17 +8,20 @@
}: { }: {
config = with lib; let config = with lib; let
secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets; secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets;
drv = import ./rekey-drv.nix pkgs secretFiles; drv = import ./rekey-drv.nix pkgs config;
in in
mkIf (config.rekey.secrets != {}) { mkIf (config.rekey.secrets != {}) {
age = { age = {
secrets = let secrets = let
hostName = config.networking.hostName; secretPath = "${drv}/";
secretPath = "${drv}/${hostName}/";
newPath = x: "${secretPath}/${x}.age"; newPath = x: "${secretPath}/${x}.age";
in in
mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets; mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets;
}; };
warnings = optional (! pathExists (removeSuffix ".drv" drv.drvPath)) ''
Rekeyed secrets not available.
Maybe you forgot to run "nix run '.#rekey'" to rekey them?
'';
}; };
options = with lib; { options = with lib; {

12
secrets/test.age Normal file
View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> X25519 6PjX+qZyPYWTisaNUryJ12t/CEOrfLd+K1/wyKGFixM
S5IV+M+l5LleLoXM3SUDioBCJiaHcwZslERVj5L0ygE
-> piv-p256 XTQkUA A1py15wjDt5uwgw2/s2/ueM2JMcT4RFMa+5fx+d2UhG8
xIdD5DNoxvu3T0873Qv2hl9rHatWi4GhAGcWT/cxNE8
-> piv-p256 ZFgiIw AsSMYe/35S/b3kTqriw9Ur2eg2iB8dDSt4qtFzbMqTMz
WnBSoehEmLtX9SEawmQIxsV8dReZPJRNq5oSLH6UWSU
-> bHCG/L-grease -|u
77tuo6s/XdK97pc73YTUh/OShs4jX/01ODcQT/80LaoCI0bt+yVBIOwNPrLwHVIV
iiqROaIIp+mRDQj6JUB7hlaPoiNJcfO6ozA
--- 7W4CK2idSDKwMlYi/FmPZVLPZZKv+5nyp0mpysWXork
ÅH\”úŽÅúbwõŒÑžug+uU+Ñ‚?<3F>\)) Wï6æ}¥ÿ'öÌQH¹/'§ÅÐ><3E>

1
test.lol Normal file
View file

@ -0,0 +1 @@
cetiscienrst gnrs ciet