patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity
nix-config/apps/rekey.nix

73 lines
2.3 KiB
Nix
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
self,
nixpkgs,
...
}: system:
with nixpkgs.lib; let
pkgs = import nixpkgs {inherit system;};
rekeyCommandForHost = hostName: hostAttrs: let
masterIdentities = strings.concatMapStrings (x: "-i ${x} ") hostAttrs.config.rekey.masterIdentityPaths;
pubKeyStr = hostAttrs.config.rekey.pubKey;
secretPath = "/tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/";
rekeyCommand = secretName: secretAttrs: ''
echo "Rekeying secret ${secretName} for host ${hostName}"
echo "${secretAttrs.file}"
${pkgs.rage}/bin/rage ${masterIdentities} -d ${secretAttrs.file} \
| ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e \
|| { echo "Could not rekey secrets. Inserting dummy values" \
; echo "Invalide due to failure when rekeying." \
| ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e ;}
'';
in
if masterIdentities == ""
then ''
echo -e "No Identities set for host ${hostName}. Cannot decrypt.\n\
Make sure you set 'config.rekey.masterIdentityPaths'"
''
else if
let
key = hostAttrs.config.rekey.pubKey;
in
isPath key && (! pathExists key)
then ''
echo -e "No public keys available for host ${hostName}. Can not decrypt.\n\
Make sure the public keys are reachable by the building system'"
''
else ''
mkdir -p ${secretPath}
${concatStringsSep "\n" (mapAttrsToList rekeyCommand hostAttrs.config.rekey.secrets)}
'';
rekeyScript = ''
set -euo pipefail
${concatStringsSep "\n" (mapAttrsToList rekeyCommandForHost self.nixosConfigurations)}
nix run --extra-sandbox-paths /tmp/nix-rekey.d/ "${../.}#rekey-copy-secrets"
'';
rekey-exe = pkgs.writeShellScript "rekey.sh" rekeyScript;
rekey-copy-secretsForHost = hostName: hostAttrs: let
drv = import ../modules/rekey-drv.nix pkgs hostAttrs.config;
in ''
echo "Copied secrets for ${hostName} to ${drv}"
'';
rekey-copy-secrets-exe = pkgs.writeShellScript "rekey-copy-secrets.sh" ''
${concatStringsSep "\n" (mapAttrsToList rekey-copy-secretsForHost self.nixosConfigurations)}
'';
in {
rekey = {
type = "app";
program = "${rekey-exe}";
};
rekey-copy-secrets = {
type = "app";
program = "${rekey-copy-secrets-exe}";
};
}
Reference in a new issue View git blame Copy permalink