git.delta.rocks / jrsonnet / refs/commits / bd8e3e569d41

difftreelog

source

modules/fleet/secrets.nix7.2 KiBsourcehistory
1{2  lib,3  fleetLib,4  config,5  ...6}:7with lib;8with fleetLib; let9  sharedSecret = with types; ({config, ...}: {10    freeformType = types.lazyAttrsOf unspecified;11    options = {12      expectedOwners = mkOption {13        type = nullOr (listOf str);14        description = ''15          List of hosts to encrypt secret for. null if managed by user (= via owners field from fleet.nix)1617          Secrets would be decrypted and stored to /run/secrets/$\{name} on owners18        '';19        default = null;20      };21      # TODO: Aren't those options may be just desugared to data/expectedData?22      regenerateOnOwnerAdded = mkOption {23        type = bool;24        description = ''25          Is this secret owner-dependent, and needs to be regenerated on ownership set change, or it may be just reencrypted.2627          You want to have this option set to true, when this secret contains some reference to its owners, i.e x509 SANs.28        '';29      };30      regenerateOnOwnerRemoved = mkOption {31        default = config.regenerateOnOwnerAdded;32        type = bool;33        description = ''34          Should this secret be removed on owner removal, or it may be just reencrypted3536          Most probably its value should be equal to regenerateOnOwnerAdded, override only if you know what are you doing.37          Contrary to regenerateOnOwnerAdded, you may want to set this option to false, when host permissions are revoked38          in some other way than by this secret ownership, I.e by firewall/etc.39        '';40      };41      generator = mkOption {42        type = nullOr unspecified;43        description = "Derivation to evaluate for secret generation";44        default = null;45      };46      createdAt = mkOption {47        type = nullOr str;48        description = "When this secret was (re)generated";49        default = null;50      };51      expiresAt = mkOption {52        type = nullOr str;53        description = "On which date this secret will expire, someone should regenerate this secret before it expires.";54        default = null;55      };5657      owners = mkOption {58        type = listOf str;59        description = ''60          For which owners this secret is currently encrypted,61          if not matches expectedOwners - then this secret is considered outdated, and62          should be regenerated/reencrypted.6364          Imported from fleet.nix65        '';66        default = [];67      };68    };69  });70  hostSecret = with types; {71    freeformType = types.lazyAttrsOf unspecified;72    options = {73      createdAt = mkOption {74        type = nullOr str;75        default = null;76      };77      expiresAt = mkOption {78        type = nullOr str;79        default = null;80      };81    };82  };83in {84  options = with types; {85    version = mkOption {86      type = str;87      default = "";88      internal = true;89    };90    sharedSecrets = mkOption {91      type = attrsOf (submodule sharedSecret);92      default = {};93      description = "Shared secrets";94    };95    hostSecrets = mkOption {96      type = attrsOf (attrsOf (submodule hostSecret));97      default = {};98      description = "Host secrets. Imported from fleet.nix";99      internal = true;100    };101  };102  config = {103    assertions =104      mapAttrsToList105      (name: secret: {106        assertion = secret.expectedOwners == null || builtins.sort (a: b: a < b) secret.owners == builtins.sort (a: b: a < b) secret.expectedOwners;107        message = "Shared secret ${name} is expected to be encrypted for ${builtins.toJSON secret.expectedOwners}, but it is encrypted for ${builtins.toJSON secret.owners}. Run fleet secrets regenerate to fix";108      })109      config.sharedSecrets;110    hosts = hostsToAttrs (host: {111      nixosModules = let112        # processPart113        processSecret = v:114          (removeAttrs v ["createdAt" "expiresAt" "expectedOwners" "owners" "regenerateOnOwnerAdded" "regenerateOnOwnerRemoved"])115          // {116            shared = true;117          };118      in [119        {120          secrets =121            (122              mapAttrs (_: processSecret)123              (filterAttrs (_: v: builtins.elem host v.owners) config.sharedSecrets)124            )125            // (mapAttrs (_: processSecret) (config.hostSecrets.${host} or {}));126        }127      ];128    });129    # TODO: Should this attribute be moved to `nixpkgs.overlays`?130    overlays = [131      (final: prev: let132        lib = final.lib;133        inherit (lib) strings;134        inherit (strings) concatStringsSep;135      in {136        mkSecretGenerators = {recipients}: rec {137          # TODO: Merge both generators to one with consistent options syntax?138          # Impure generator is built on local machine, then built closure is copied to remote machine,139          # and then it is ran in inpure context, so that this generator may access HSMs and other things.140          mkImpureSecretGenerator = {141            script,142            # If set - script will be run on remote machine, otherwise it will be run with fleet project in CWD143            # (Some secrets-encryption-in-git/managed PKI solution is expected)144            impureOn ? null,145          }:146            (prev.writeShellScript "impureGenerator.sh" ''147              #!/bin/sh148              set -eu149150              export GENERATOR_HELPER_IDENTITIES="${concatStringsSep "\n" recipients}";151              export PATH=${final.fleet-generator-helper}/bin:$PATH152153              # TODO: Provide tempdir from outside, to make it securely erasurable as needed?154              tmp=$(mktemp -d)155              cd $tmp156              # cd /var/empty157158              created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")159160              ${script}161162              if ! test -d $out; then163                echo "impure generator script did not produce expected \$out output"164                exit 1165              fi166167              echo -n $created_at > $out/created_at168              echo -n SUCCESS > $out/marker169            '')170            .overrideAttrs (old: {171              passthru = {172                inherit impureOn;173                generatorKind = "impure";174              };175            });176          # Pure generators are disabled for now177          mkSecretGenerator = {script}: mkImpureSecretGenerator {inherit script;};178179          # TODO: Implement consistent naming180          # Pure secret generator is supposed to be run entirely by nix, using `__impure` derivation type...181          # But for now, it is ran the same way as `impureSecretGenerator`, but on the local machine.182          # mkSecretGenerator = {script}:183          #   (prev.writeShellScript "generator.sh" ''184          #     #!/bin/sh185          #     set -eu186          #     # TODO: make nix daemon build secret, not just the script.187          #     cd /var/empty188          #189          #     created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")190          #191          #     ${script}192          #     if ! test -d $out; then193          #       echo "impure generator script did not produce expected \$out output"194          #       exit 1195          #     fi196          #197          #     echo -n $created_at > $out/created_at198          #     echo -n SUCCESS > $out/marker199          #   '')200          #   .overrideAttrs (old: {201          #     passthru = {202          #       generatorKind = "pure";203          #     };204          #     # TODO: make nix daemon build secret, not just the script.205          #     # __impure = true;206          #   });207        };208      })209    ];210  };211}