chore: implemented warning

2023-01-28 20:10:55 +01:00 · 2023-01-28 20:10:55 +01:00 · 06cc119912
parent 6666d56b65
commit 06cc119912
6 changed files with 65 additions and 41 deletions
--- a/apps/rekey.nix
+++ b/apps/rekey.nix
@ -7,16 +7,17 @@ with nixpkgs.lib; let
  pkgs = import nixpkgs {inherit system;};

  rekeyCommandForHost = hostName: hostAttrs: let
-    secretPath = "/tmp/nix-rekey.d/${hostName}/";
    masterIdentities = strings.concatMapStrings (x: "-i ${x} ") hostAttrs.config.rekey.masterIdentityPaths;

-    rekeyCommand = secretName: secretAttrs: let
    pubKeyStr = let
-        key = hostAttrs.config.rekey.pubKey;
+      pubKey = hostAttrs.config.rekey.pubKey;
    in
-        if isPath key
-        then readFile key
-        else key;
+      if isPath pubKey
+      then readFile pubKey
+      else pubKey;
+    secretPath = "/tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/";
+
+    rekeyCommand = secretName: secretAttrs: let
    in ''
      echo "Rekeying secret ${secretName} for host ${hostName}"
      echo "${secretAttrs.file}"
@ -29,7 +30,7 @@ with nixpkgs.lib; let
  in
    if masterIdentities == ""
    then ''
-      echo "[1;3mNo Identities set for host ${hostName}. Can not decrypt.\n\
+      echo -e "[1;3mNo Identities set for host ${hostName}. Cannot decrypt.\n\
      Make sure you set 'config.rekey.masterIdentityPaths'[m"
    ''
    else if
@ -38,15 +39,12 @@ with nixpkgs.lib; let
      in
        isPath key && (! pathExists key)
    then ''
-      echo "[1;3mNo public keys available for host ${hostName}. Can not decrypt.\n\
+      echo -e "[1;3mNo public keys available for host ${hostName}. Can not decrypt.\n\
      Make sure the public keys are reachable by the building system'[m"
    ''
    else ''
      mkdir -p ${secretPath}
-         # TODO
      ${concatStringsSep "\n" (mapAttrsToList rekeyCommand (hostAttrs.config.rekey.secrets))}
-
-      nix run --extra-sandbox-paths /tmp/nix-rekey.d/ "${../.}#rekey-copy-secrets"
    '';

  rekeyScript = ''
@ -54,15 +52,16 @@ with nixpkgs.lib; let

    ${concatStringsSep "\n" (mapAttrsToList rekeyCommandForHost self.nixosConfigurations)}

+    nix run --extra-sandbox-paths /tmp/nix-rekey.d/ "${../.}#rekey-copy-secrets"
+
  '';

  rekey-exe = pkgs.writeShellScript "rekey.sh" rekeyScript;

  rekey-copy-secretsForHost = hostName: hostAttrs: let
-    secretFiles = mapAttrsToList (_: x: x.file) hostAttrs.config.rekey.secrets;
-    drv = import ../modules/rekey-drv.nix pkgs secretFiles;
+    drv = import ../modules/rekey-drv.nix pkgs hostAttrs.config;
  in ''
-    echo ${drv}
+    echo "Copied secrets for ${hostName} to ${drv}"
  '';
  rekey-copy-secrets-exe = pkgs.writeShellScript "rekey-copy-secrets.sh" ''
    ${concatStringsSep "\n" (mapAttrsToList rekey-copy-secretsForHost self.nixosConfigurations)}
--- a/configuration.nix
+++ b/configuration.nix
@ -39,6 +39,9 @@
    file = ./secrets/iwd/devolo-og.psk.age;
    path = "/etc/iwd/devolo-og.psk";
  };
+  rekey.secrets.test = {
+    file = ./secrets/test.age;
+  };

  networking.useNetworkd = true;
  networking.dhcpcd.enable = false;
--- a/modules/rekey-drv.nix
+++ b/modules/rekey-drv.nix
@ -1,10 +1,16 @@
-pkgs: secretFiles:
-(
+pkgs: config: (
  pkgs.stdenv.mkDerivation rec {
    pname = "host-secrets";
    version = "1";
    description = "Rekeyed secrets for this host";
+    pubKeyStr = let
+      pubKey = config.rekey.pubKey;
+    in
+      if builtins.isPath pubKey
+      then builtins.readFile pubKey
+      else pubKey;

+    secretFiles = pkgs.lib.mapAttrsToList (_: x: x.file) config.rekey.secrets;
    srcs = secretFiles;
    sourceRoot = ".";

@ -14,7 +20,7 @@ pkgs: secretFiles:
    dontBuild = true;

    installPhase = ''
-      cp -r /tmp/nix-rekey.d/ $out
+      cp -r /tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/. $out
    '';
  }
 )
--- a/modules/rekey.nix
+++ b/modules/rekey.nix
@ -8,17 +8,20 @@
 }: {
  config = with lib; let
    secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets;
-    drv = import ./rekey-drv.nix pkgs secretFiles;
+    drv = import ./rekey-drv.nix pkgs config;
  in
    mkIf (config.rekey.secrets != {}) {
      age = {
        secrets = let
-          hostName = config.networking.hostName;
-          secretPath = "${drv}/${hostName}/";
+          secretPath = "${drv}/";
          newPath = x: "${secretPath}/${x}.age";
        in
          mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets;
      };
+	  warnings = optional (! pathExists (removeSuffix ".drv" drv.drvPath)) ''
+	    Rekeyed secrets not available.
+		Maybe you forgot to run "nix run '.#rekey'" to rekey them?
+	  '';
    };

  options = with lib; {
--- a/secrets/test.age
+++ b/secrets/test.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> X25519 6PjX+qZyPYWTisaNUryJ12t/CEOrfLd+K1/wyKGFixM
+S5IV+M+l5LleLoXM3SUDioBCJiaHcwZslERVj5L0ygE
+-> piv-p256 XTQkUA A1py15wjDt5uwgw2/s2/ueM2JMcT4RFMa+5fx+d2UhG8
+xIdD5DNoxvu3T0873Qv2hl9rHatWi4GhAGcWT/cxNE8
+-> piv-p256 ZFgiIw AsSMYe/35S/b3kTqriw9Ur2eg2iB8dDSt4qtFzbMqTMz
+WnBSoehEmLtX9SEawmQIxsV8dReZPJRNq5oSLH6UWSU
+-> bHCG/L-grease -|u
+77tuo6s/XdK97pc73YTUh/OShs4jX/01ODcQT/80LaoCI0bt+yVBIOwNPrLwHVIV
+iiqROaIIp+mRDQj6JUB7hlaPoiNJcfO6ozA
+--- 7W4CK2idSDKwMlYi/FmPZVLPZZKv+5nyp0mpysWXork
+ÅH\”úŽÅ‚úbwõŒÑžug+uU+Ñ‚?<3F>\))	Wï6æ}¥ÿ'öÌQH¹/'§ÅÐ><3E>
--- a/test.lol
+++ b/test.lol
@ -0,0 +1 @@
+cetiscienrst gnrs ciet