simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity
nixos-config/modules/secrets.nix

67 lines
2.1 KiB
Nix
Raw Normal View History

Overhaul secrets management
2021-01-06 13:09:29 +01:00
# Adapted from https://github.com/Mic92/dotfiles/blob/23f163cae52545d44a7e379dc204010b013d679a/nixos/vms/modules/secrets.nix
#
# All of the users wanting to access any key under /run/keys have to be a
# member of the keys group (or be root). This is a hard coded limitation of
# NixOS and I havent found a way to allow everyone to access /run/keys/ (not a
# security problem since the keys themselves are given the right permissions).
{ config, lib, pkgs, ... }:
let
secret = lib.types.submodule ({ config, ... }: {
options = {
name = lib.mkOption {
type = lib.types.str;
default = config._module.args.name;
};
path = lib.mkOption {
type = lib.types.str;
default = "/run/keys/${config.name}";
};
mode = lib.mkOption {
type = lib.types.str;
default = "0440";
};
owner = lib.mkOption {
type = lib.types.str;
default = "root";
};
group = lib.mkOption {
type = lib.types.str;
default = "root";
};
source = lib.mkOption {
type = lib.types.str;
default = toString <secrets> + "/${config.name}";
};
};
});
in
{
options.krops.secrets = lib.mkOption {
type = lib.types.attrsOf secret;
default = { };
};
config = lib.mkIf (config.krops.secrets != { }) {
system.activationScripts.setup-secrets =
let
script = ''
echo "setting up secrets"
'' + lib.concatMapStringsSep
"\n"
(secret: ''
${pkgs.coreutils}/bin/install \
-D \
--compare \
--verbose \
--mode=${lib.escapeShellArg secret.mode} \
--owner=${lib.escapeShellArg secret.owner} \
--group=${lib.escapeShellArg secret.group} \
${lib.escapeShellArg secret.source} \
${lib.escapeShellArg secret.path} \
|| echo "failed to copy ${secret.source} to ${secret.path}"
'')
(lib.attrValues config.krops.secrets);
in
lib.stringAfter [ "users" "groups" ] "source ${pkgs.writeText "setup-secrets.sh" script}";
};
}
Reference in a new issue Copy permalink