git.delta.rocks / jrsonnet / refs/commits / 16240ebb9bc9

1{2  lib,3  config,4  ...5}: let6  inherit (lib.options) mkOption literalExpression;7  inherit (lib.types) unspecified nullOr listOf str bool attrsOf submodule functionTo package unique;8  inherit (lib.strings) concatStringsSep;9  inherit (lib.attrsets) mapAttrs;1011  sharedSecret = {config, ...}: {12    options = {13      expectedOwners = mkOption {14        type = nullOr (listOf str);15        description = ''16          Specifies the list of hosts authorized to decrypt and access this shared secret.1718          When null, secret ownership is managed manually via fleet.nix and CLI.19          Decrypted secrets will be stored at /run/secrets/$\{name} on authorized hosts.20        '';21        default = null;22      };23      regenerateOnOwnerAdded = mkOption {24        type = bool;25        description = ''26          Controls whether the secret must be regenerated when new owners are added.2728          Set to true when the secret contains owner-specific references (e.g., X.509 Subject Alternative Names).29          When true, adding a new owner will trigger secret regeneration instead of simple re-encryption.30        '';31      };32      regenerateOnOwnerRemoved = mkOption {33        default = config.regenerateOnOwnerAdded;34        defaultText = literalExpression "regenerateOnOwnerAdded";35        type = bool;36        description = ''37          Determines secret behavior when owners are removed from the configuration.3839          Typically mirrors regenerateOnOwnerAdded. Override cautiously.40          Set to false if host permissions are revoked through alternative mechanisms like firewall rules.41        '';42      };43      generator = mkOption {44        type = nullOr (unique (functionTo package));45        description = ''46          Function evaluating to nix derivation responsible for (re)generating the secret's content.4748          An input to this function - `pkgs` of a generator host with implementation-defined representation of extra encryption data,49          use `mkSecretGenerator` helpers to implement own generators.50        '';51        default = null;52      };53      expectedGenerationData = mkOption {54        type = unspecified;55        description = "Contextual metadata embedded within the secret part value";56        default = null;57      };58    };59  };60in {61  options = {62    sharedSecrets = mkOption {63      type = attrsOf (submodule sharedSecret);64      default = {};65      description = "Collection of secrets shared across multiple hosts with configurable ownership";66    };67  };68  config = {69    hosts =70      mapAttrs (_: secretMap: {71        nixos.secrets = mapAttrs (_: s: removeAttrs s ["createdAt" "expiresAt" "generationData"]) secretMap;72      })73      config.data.hostSecrets;74    nixpkgs.overlays = [75      (final: prev: {76        mkSecretGenerators = {recipients}: rec {77          # TODO: Merge both generators to one with consistent options syntax?78          # Impure generator is built on local machine, then built closure is copied to remote machine,79          # and then it is ran in inpure context, so that this generator may access HSMs and other things.80          mkImpureSecretGenerator = {81            script,82            # If set - script will be run on remote machine, otherwise it will be run with fleet project in CWD83            # (Some secrets-encryption-in-git/managed PKI solution is expected)84            impureOn ? null,85          }:86            (prev.writeShellScript "impureGenerator.sh" ''87              #!/bin/sh88              set -eu8990              export GENERATOR_HELPER_IDENTITIES="${concatStringsSep "\n" recipients}";91              export PATH=${final.fleet-generator-helper}/bin:$PATH9293              # TODO: Provide tempdir from outside, to make it securely erasurable as needed?94              tmp=$(mktemp -d)95              cd $tmp96              # cd /var/empty9798              created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")99100              ${script}101102              if ! test -d $out; then103                echo "impure generator script did not produce expected \$out output"104                exit 1105              fi106107              echo -n $created_at > $out/created_at108              echo -n SUCCESS > $out/marker109            '')110            .overrideAttrs (old: {111              passthru = {112                inherit impureOn;113                generatorKind = "impure";114              };115            });116          # Pure generators are disabled for now117          mkSecretGenerator = {script}: mkImpureSecretGenerator {inherit script;};118119          # TODO: Implement consistent naming120          # Pure secret generator is supposed to be run entirely by nix, using `__impure` derivation type...121          # But for now, it is ran the same way as `impureSecretGenerator`, but on the local machine.122          # mkSecretGenerator = {script}:123          #   (prev.writeShellScript "generator.sh" ''124          #     #!/bin/sh125          #     set -eu126          #     # TODO: make nix daemon build secret, not just the script.127          #     cd /var/empty128          #129          #     created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")130          #131          #     ${script}132          #     if ! test -d $out; then133          #       echo "impure generator script did not produce expected \$out output"134          #       exit 1135          #     fi136          #137          #     echo -n $created_at > $out/created_at138          #     echo -n SUCCESS > $out/marker139          #   '')140          #   .overrideAttrs (old: {141          #     passthru = {142          #       generatorKind = "pure";143          #     };144          #     # TODO: make nix daemon build secret, not just the script.145          #     # __impure = true;146          #   });147        };148      })149    ];150  };151}