difftreelog
fix impermanence compat
in: trunk
1 file changed
nixos/secrets.nixdiffbeforeafterboth1{2 lib,3 config,4 pkgs,5 ...6}:7with lib; let8 inherit (lib.strings) hasPrefix removePrefix;9 plaintextPrefix = "<PLAINTEXT>";10 plaintextNewlinePrefix = "<PLAINTEXT-NL>";1112 sysConfig = config;13 secretPartType = secretName:14 types.submodule ({config, ...}: {15 options = with types; {16 raw = mkOption {17 description = "Secret in fleet-specific undocumented format, do not use. Import from fleet.nix";18 internal = true;19 };20 hash = mkOption {21 type = str;22 description = "Hash of secret in encoded format";23 };24 path = mkOption {25 type = str;26 description = "Path to secret part, incorporating data hash (thus it will be updated on secret change)";27 };28 stablePath = mkOption {29 type = str;30 description = "Path to secret part, incorporating data hash (thus it will be updated on secret change)";31 };32 data = mkOption {33 type = str;34 description = "Secret public data (only available for plaintext)";35 };36 };37 config = let38 partName = config._module.args.name;39 in {40 hash = mkOptionDefault (builtins.hashString "sha1" config.raw);41 data = mkOptionDefault (42 if hasPrefix plaintextPrefix config.raw43 then removePrefix plaintextPrefix config.raw44 else if hasPrefix plaintextNewlinePrefix config.raw45 then removePrefix plaintextNewlinePrefix config.raw46 else throw "secret.part.data attribute only works for public plaintext secret parts, got ${config.raw}"47 );48 path = mkOptionDefault "/run/secrets/${secretName}/${config.hash}-${partName}";49 stablePath = mkOptionDefault "/run/secrets/${secretName}/${partName}";50 };51 });52 secretType = types.submodule ({config, ...}: let53 secretName = config._module.args.name;54 in {55 freeformType = types.lazyAttrsOf (secretPartType secretName);56 options = with types; {57 shared = mkOption {58 description = "Is this secret owned by this machine, or propagated from shared secrets";59 default = false;60 };61 expectedOwners = mkOption {62 type = nullOr unspecified;63 default = null;64 internal = true;65 };6667 generator = mkOption {68 type = nullOr unspecified;69 description = "Derivation to evaluate for secret generation";70 default = null;71 };72 mode = mkOption {73 type = str;74 description = "Secret mode";75 default = "0440";76 };77 owner = mkOption {78 type = str;79 description = "Owner of the secret";80 default = "root";81 };82 group = mkOption {83 type = str;84 description = "Group of the secret";85 default = sysConfig.users.users.${config.owner}.group;86 };87 };88 });89 processPart = part: {90 inherit (part) raw path stablePath;91 };92 processSecret = secret:93 {94 inherit (secret) group mode owner;95 }96 // (mapAttrs (_: processPart) (removeAttrs secret [97 "shared"98 "generator"99 "mode"100 "group"101 "owner"102103 # FIXME: Some of those removed attributes shouldn't be here, but there is some error in passing shared secrets from fleet to nixos.104 "expectedOwners"105 ]));106 secretsFile = pkgs.writeTextFile {107 name = "secrets.json";108 text =109 builtins.toJSON (mapAttrs (_: processSecret)110 config.secrets);111 };112in {113 options = {114 secrets = mkOption {115 type = types.attrsOf secretType;116 default = {};117 description = "Host-local secrets";118 };119 };120 config = {121 environment.systemPackages = [pkgs.fleet-install-secrets];122 system.activationScripts.decryptSecrets =123 stringAfter (124 [125 # secrets are owned by user/group, thus we need to refer to those126 "users"127 "groups"128 "specialfs"129 ]130 # nixos-impermanence compatibility: secrets are encrypted by host-key,131 # but with impermanence we expect that the host-key is installed by132 # persist-file activation script.133 ++ (lib.optional (config.system.activationScripts ? "persist-file") "persist-file")134 ) ''135 1>&2 echo "setting up secrets"136 ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets install ${secretsFile}137 '';138 };139}