noah/dotfiles
1
0
Fork 0
mirror of https://github.com/nmasur/dotfiles synced 2024-11-09 23:22:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
9f31d775c7
dotfiles/modules/nixos/services/secrets.nix

103 lines
2.9 KiB
Nix
Raw Normal View History

new secrets management system
2022-10-16 01:32:39 +00:00
# Secrets management method taken from here:
# https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20
# In my case, I pre-encrypt my secrets and commit them to git.
move all files to new nixfmt rfc
2024-04-20 13:42:06 +00:00
{
config,
pkgs,
lib,
...
}:
{
new secrets management system
2022-10-16 01:32:39 +00:00
options = {
reencrypt secrets and fix nextcloud backups
2022-10-16 03:18:58 +00:00
secretsDirectory = lib.mkOption {
type = lib.types.str;
description = "Default path to place secrets.";
default = "/var/private";
};
new secrets management system
2022-10-16 01:32:39 +00:00
secrets = lib.mkOption {
move all files to new nixfmt rfc
2024-04-20 13:42:06 +00:00
type = lib.types.attrsOf (
lib.types.submodule {
options = {
source = lib.mkOption {
type = lib.types.path;
description = "Path to encrypted secret.";
};
dest = lib.mkOption {
type = lib.types.str;
description = "Resulting path for decrypted secret.";
};
owner = lib.mkOption {
default = "root";
type = lib.types.str;
description = "User to own the secret.";
};
group = lib.mkOption {
default = "root";
type = lib.types.str;
description = "Group to own the secret.";
};
permissions = lib.mkOption {
default = "0400";
type = lib.types.str;
description = "Permissions expressed as octal.";
};
prefix = lib.mkOption {
default = "";
type = lib.types.str;
description = "Prefix for secret value (for environment files).";
};
new secrets management system
2022-10-16 01:32:39 +00:00
};
move all files to new nixfmt rfc
2024-04-20 13:42:06 +00:00
}
);
new secrets management system
2022-10-16 01:32:39 +00:00
description = "Set of secrets to decrypt to disk.";
default = { };
};
};
split wsl, consolidate hardware
2023-04-16 00:55:56 +00:00
config = lib.mkIf pkgs.stdenv.isLinux {
new secrets management system
2022-10-16 01:32:39 +00:00
# Create a default directory to place secrets
reencrypt secrets and fix nextcloud backups
2022-10-16 03:18:58 +00:00
systemd.tmpfiles.rules = [ "d ${config.secretsDirectory} 0755 root wheel" ];
new secrets management system
2022-10-16 01:32:39 +00:00
# Declare oneshot service to decrypt secret using SSH host key
# - Requires that the secret is already encrypted for the host
# - Encrypt secrets: nix run github:nmasur/dotfiles#encrypt-secret
systemd.services = lib.mapAttrs' (name: attrs: {
name = "${name}-secret";
value = {
description = "Decrypt secret for ${name}";
wantedBy = [ "multi-user.target" ];
try binding to wait for identity service to complete and see if remainafterexit fixes one of the issues
2024-03-30 17:01:34 +00:00
bindsTo = [ "wait-for-identity.service" ];
after = [ "wait-for-identity.service" ];
new secrets management system
2022-10-16 01:32:39 +00:00
serviceConfig.Type = "oneshot";
script = ''
add victoriametrics
2023-07-16 13:50:58 +00:00
echo "${attrs.prefix}$(
${pkgs.age}/bin/age --decrypt \
--identity ${config.identityFile} ${attrs.source}
)" > ${attrs.dest}
new secrets management system
2022-10-16 01:32:39 +00:00
chown '${attrs.owner}':'${attrs.group}' '${attrs.dest}'
chmod '${attrs.permissions}' '${attrs.dest}'
'';
};
}) config.secrets;
# Example declaration
# config.secrets.my-secret = {
# source = ../../private/my-secret.age;
# dest = "/var/lib/private/my-secret";
# owner = "my-app";
# group = "my-app";
# permissions = "0440";
# };
};
}
Reference in New Issue Copy Permalink