dotfiles/modules/nixos/services/secrets.nix

103 lines
2.9 KiB
Nix
Raw Permalink Normal View History

2022-10-16 01:32:39 +00:00
# Secrets management method taken from here:
# https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20
# In my case, I pre-encrypt my secrets and commit them to git.
2024-04-20 13:42:06 +00:00
{
config,
pkgs,
lib,
...
}:
{
2022-10-16 01:32:39 +00:00
options = {
secretsDirectory = lib.mkOption {
type = lib.types.str;
description = "Default path to place secrets.";
default = "/var/private";
};
2022-10-16 01:32:39 +00:00
secrets = lib.mkOption {
2024-04-20 13:42:06 +00:00
type = lib.types.attrsOf (
lib.types.submodule {
options = {
source = lib.mkOption {
type = lib.types.path;
description = "Path to encrypted secret.";
};
dest = lib.mkOption {
type = lib.types.str;
description = "Resulting path for decrypted secret.";
};
owner = lib.mkOption {
default = "root";
type = lib.types.str;
description = "User to own the secret.";
};
group = lib.mkOption {
default = "root";
type = lib.types.str;
description = "Group to own the secret.";
};
permissions = lib.mkOption {
default = "0400";
type = lib.types.str;
description = "Permissions expressed as octal.";
};
prefix = lib.mkOption {
default = "";
type = lib.types.str;
description = "Prefix for secret value (for environment files).";
};
2022-10-16 01:32:39 +00:00
};
2024-04-20 13:42:06 +00:00
}
);
2022-10-16 01:32:39 +00:00
description = "Set of secrets to decrypt to disk.";
default = { };
};
};
2023-04-16 00:55:56 +00:00
config = lib.mkIf pkgs.stdenv.isLinux {
2022-10-16 01:32:39 +00:00
# Create a default directory to place secrets
systemd.tmpfiles.rules = [ "d ${config.secretsDirectory} 0755 root wheel" ];
2022-10-16 01:32:39 +00:00
# Declare oneshot service to decrypt secret using SSH host key
# - Requires that the secret is already encrypted for the host
# - Encrypt secrets: nix run github:nmasur/dotfiles#encrypt-secret
systemd.services = lib.mapAttrs' (name: attrs: {
name = "${name}-secret";
value = {
description = "Decrypt secret for ${name}";
wantedBy = [ "multi-user.target" ];
bindsTo = [ "wait-for-identity.service" ];
after = [ "wait-for-identity.service" ];
2022-10-16 01:32:39 +00:00
serviceConfig.Type = "oneshot";
script = ''
2023-07-16 13:50:58 +00:00
echo "${attrs.prefix}$(
${pkgs.age}/bin/age --decrypt \
--identity ${config.identityFile} ${attrs.source}
)" > ${attrs.dest}
2022-10-16 01:32:39 +00:00
chown '${attrs.owner}':'${attrs.group}' '${attrs.dest}'
chmod '${attrs.permissions}' '${attrs.dest}'
'';
};
}) config.secrets;
# Example declaration
# config.secrets.my-secret = {
# source = ../../private/my-secret.age;
# dest = "/var/lib/private/my-secret";
# owner = "my-app";
# group = "my-app";
# permissions = "0440";
# };
};
}