`6d3c085f68b1`

source

modules/secrets.nix5.3 KiBsource history
1{2  lib,3  config,4  ...5}: let6  inherit (lib.options) mkOption literalExpression;7  inherit (lib.types) unspecified nullOr listOf str bool attrsOf submodule;8  inherit (lib.strings) concatStringsSep;9  inherit (lib.attrsets) mapAttrs;1011  sharedSecret = {config, ...}: {12    options = {13      expectedOwners = mkOption {14        type = nullOr (listOf str);15        description = ''16          List of hosts to encrypt secret for. null if managed by user (= via owners field from fleet.nix)1718          Secrets would be decrypted and stored to /run/secrets/$\{name} on owners19        '';20        default = null;21      };22      # TODO: Aren't those options may be just desugared to data/expectedData?23      regenerateOnOwnerAdded = mkOption {24        type = bool;25        description = ''26          Is this secret owner-dependent, and needs to be regenerated on ownership set change, or it may be just reencrypted.2728          You want to have this option set to true, when this secret contains some reference to its owners, i.e x509 SANs.29        '';30      };31      regenerateOnOwnerRemoved = mkOption {32        default = config.regenerateOnOwnerAdded;33        defaultText = literalExpression "regenerateOnOwnerAdded";34        type = bool;35        description = ''36          Should this secret be removed on owner removal, or it may be just reencrypted3738          Most probably its value should be equal to regenerateOnOwnerAdded, override only if you know what are you doing.39          Contrary to regenerateOnOwnerAdded, you may want to set this option to false, when host permissions are revoked40          in some other way than by this secret ownership, I.e by firewall/etc.41        '';42      };43      generator = mkOption {44        type = nullOr unspecified;45        description = "Derivation to evaluate for secret generation";46        default = null;47      };48      expectedGenerationData = mkOption {49        type = unspecified;50        description = "Data that gets embedded into secret part";51        default = null;52      };53    };54  };55in {56  options = {57    sharedSecrets = mkOption {58      type = attrsOf (submodule sharedSecret);59      default = {};60      description = "Shared secrets";61    };62  };63  config = {64    hosts =65      mapAttrs (_: secretMap: {66        nixos.secrets = mapAttrs (_: s: removeAttrs s ["createdAt" "expiresAt"]) secretMap;67      })68      config.data.hostSecrets;69    nixpkgs.overlays = [70      (final: prev: {71        mkSecretGenerators = {recipients}: rec {72          # TODO: Merge both generators to one with consistent options syntax?73          # Impure generator is built on local machine, then built closure is copied to remote machine,74          # and then it is ran in inpure context, so that this generator may access HSMs and other things.75          mkImpureSecretGenerator = {76            script,77            # If set - script will be run on remote machine, otherwise it will be run with fleet project in CWD78            # (Some secrets-encryption-in-git/managed PKI solution is expected)79            impureOn ? null,80          }:81            (prev.writeShellScript "impureGenerator.sh" ''82              #!/bin/sh83              set -eu8485              export GENERATOR_HELPER_IDENTITIES="${concatStringsSep "\n" recipients}";86              export PATH=${final.fleet-generator-helper}/bin:$PATH8788              # TODO: Provide tempdir from outside, to make it securely erasurable as needed?89              tmp=$(mktemp -d)90              cd $tmp91              # cd /var/empty9293              created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")9495              ${script}9697              if ! test -d $out; then98                echo "impure generator script did not produce expected \$out output"99                exit 1100              fi101102              echo -n $created_at > $out/created_at103              echo -n SUCCESS > $out/marker104            '')105            .overrideAttrs (old: {106              passthru = {107                inherit impureOn;108                generatorKind = "impure";109              };110            });111          # Pure generators are disabled for now112          mkSecretGenerator = {script}: mkImpureSecretGenerator {inherit script;};113114          # TODO: Implement consistent naming115          # Pure secret generator is supposed to be run entirely by nix, using `__impure` derivation type...116          # But for now, it is ran the same way as `impureSecretGenerator`, but on the local machine.117          # mkSecretGenerator = {script}:118          #   (prev.writeShellScript "generator.sh" ''119          #     #!/bin/sh120          #     set -eu121          #     # TODO: make nix daemon build secret, not just the script.122          #     cd /var/empty123          #124          #     created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")125          #126          #     ${script}127          #     if ! test -d $out; then128          #       echo "impure generator script did not produce expected \$out output"129          #       exit 1130          #     fi131          #132          #     echo -n $created_at > $out/created_at133          #     echo -n SUCCESS > $out/marker134          #   '')135          #   .overrideAttrs (old: {136          #     passthru = {137          #       generatorKind = "pure";138          #     };139          #     # TODO: make nix daemon build secret, not just the script.140          #     # __impure = true;141          #   });142        };143      })144    ];145  };146}