`45c49ea21363`

source

modules/secrets.nix5.5 KiBsource history
1{2  lib,3  ...4}:5let6  inherit (lib.options) mkOption literalExpression;7  inherit (lib.types)8    nullOr9    listOf10    str11    bool12    attrsOf13    submodule14    functionTo15    package16    uniq17    ;18  inherit (lib.strings) concatStringsSep;1920  sharedSecret =21    { config, ... }:22    {23      options = {24        expectedOwners = mkOption {25          type = listOf str;26          description = ''27            Specifies the list of hosts authorized to decrypt and access this shared secret.28          '';29        };30        regenerateOnOwnerAdded = mkOption {31          type = bool;32          description = ''33            Controls whether the secret must be regenerated when new owners are added.3435            Set to true when the secret contains owner-specific references (e.g., X.509 Subject Alternative Names).36            When true, adding a new owner will trigger secret regeneration instead of simple re-encryption.37          '';38        };39        regenerateOnOwnerRemoved = mkOption {40          default = config.regenerateOnOwnerAdded;41          defaultText = literalExpression "regenerateOnOwnerAdded";42          type = bool;43          description = ''44            Determines secret behavior when owners are removed from the configuration.4546            Typically mirrors regenerateOnOwnerAdded. Override cautiously.47            Set to false if host permissions are revoked through alternative mechanisms like firewall rules.48          '';49        };50        allowDifferent = mkOption {51          type = bool;52          description = ''53            When adding owner, do not update secret value for other owners, instead creating a new distribution54          '';55        };56        generator = mkOption {57          type = uniq (nullOr (functionTo package));58          description = ''59            Function evaluating to nix derivation responsible for (re)generating the secret's content.6061            An input to this function - `pkgs` of a generator host with implementation-defined representation of extra encryption data,62            use `mkSecretGenerator` helpers to implement own generators.63          '';64          default = null;65        };66      };67    };68in69{70  options = {71    secrets = mkOption {72      type = attrsOf (submodule sharedSecret);73      default = { };74      description = "Collection of secrets shared across multiple hosts with configurable ownership";75    };76  };77  config = {78    nixpkgs.overlays = [79      (final: prev: {80        mkSecretGenerators =81          { recipients }:82          rec {83            # TODO: Merge both generators to one with consistent options syntax?84            # Impure generator is built on local machine, then built closure is copied to remote machine,85            # and then it is ran in inpure context, so that this generator may access HSMs and other things.86            mkImpureSecretGenerator =87              {88                script,89                # If set - script will be run on remote machine, otherwise it will be run with fleet project in CWD90                # (Some secrets-encryption-in-git/managed PKI solution is expected)91                impureOn ? null,92                parts,93              }:94              (prev.writeShellScript "impureGenerator.sh" ''95                #!/bin/sh96                set -eu9798                export GENERATOR_HELPER_IDENTITIES="${concatStringsSep "\n" recipients}";99                export PATH=${final.fleet-generator-helper}/bin:$PATH100101                # TODO: Provide tempdir from outside, to make it securely erasurable as needed?102                tmp=$(mktemp -d)103                cd $tmp104                # cd /var/empty105106                created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")107108                ${script}109110                if ! test -d $out; then111                  echo "impure generator script did not produce expected \$out output"112                  exit 1113                fi114115                echo -n $created_at > $out/created_at116                echo -n SUCCESS > $out/marker117              '').overrideAttrs118                (old: {119                  passthru = {120                    inherit impureOn parts;121                    generatorKind = "impure";122                  };123                });124            # Pure generators are disabled for now125            mkSecretGenerator = { script, parts }: mkImpureSecretGenerator { inherit script parts; };126127            # TODO: Implement consistent naming128            # Pure secret generator is supposed to be run entirely by nix, using `__impure` derivation type...129            # But for now, it is ran the same way as `impureSecretGenerator`, but on the local machine.130            # mkSecretGenerator = {script}:131            #   (prev.writeShellScript "generator.sh" ''132            #     #!/bin/sh133            #     set -eu134            #     # TODO: make nix daemon build secret, not just the script.135            #     cd /var/empty136            #137            #     created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")138            #139            #     ${script}140            #     if ! test -d $out; then141            #       echo "impure generator script did not produce expected \$out output"142            #       exit 1143            #     fi144            #145            #     echo -n $created_at > $out/created_at146            #     echo -n SUCCESS > $out/marker147            #   '')148            #   .overrideAttrs (old: {149            #     passthru = {150            #       generatorKind = "pure";151            #     };152            #     # TODO: make nix daemon build secret, not just the script.153            #     # __impure = true;154            #   });155          };156      })157    ];158  };159}