git.delta.rocks / jrsonnet / refs/commits / d97c9fe9e5c4

1{2  lib,3  fleetLib,4  config,5  pkgs,6  ...7}:8let9  inherit (builtins)10    hashString11    toJSON12    ;13  inherit (lib.stringsWithDeps) stringAfter;14  inherit (lib.options) mkOption literalExpression;15  inherit (lib.lists) optional;16  inherit (lib.attrsets) mapAttrs;17  inherit (lib.modules) mkIf;18  inherit (lib.types)19    submodule20    str21    attrsOf22    unspecified23    uniq24    functionTo25    package26    ;27  inherit (fleetLib.strings) decodeRawSecret;2829  sysConfig = config;30  secretPartType =31    secretName:32    submodule (33      { config, ... }:34      let35        partName = config._module.args.name;36      in37      {38        options = {39          hash = mkOption {40            type = str;41            description = "Hash of secret in encoded format";42          };43          path = mkOption {44            type = str;45            description = "Path to secret part, incorporating data hash (thus it will be updated on secret change)";46          };47          stablePath = mkOption {48            type = str;49            description = "Path to secret part, stable path (users are expected to watch for file changes/re-read secret on demand)";50          };51          data = mkOption {52            type = str;53            description = "Secret public data (only available for plaintext)";54          };55          raw = mkOption {56            type = str;57            description = "Raw (encoded/encrypted secret part data)";58          };59        };60        config = {61          hash = hashString "sha1" config.raw;62          data = decodeRawSecret config.raw;63          path = "/run/secrets/${secretName}/${config.hash}-${partName}";64          stablePath = "/run/secrets/${secretName}/${partName}";65        };66      }67    );68  secretType = submodule (69    {70      config,71      ...72    }:73    let74      secretName = config._module.args.name;75    in76    {77      options = {78        parts = mkOption {79          type = uniq (attrsOf (secretPartType secretName));80          description = "Definition of secret parts";81        };82        generator = mkOption {83          type = uniq (functionTo package);84          description = "Derivation to evaluate for secret generation";85        };86        mode = mkOption {87          type = str;88          description = "Secret mode";89          default = "0440";90        };91        owner = mkOption {92          type = str;93          description = "Owner of the secret";94          default = "root";95        };96        group = mkOption {97          type = str;98          description = "Group of the secret";99          default = sysConfig.users.users.${config.owner}.group;100          defaultText = literalExpression "config.users.users.$${owner}.group";101        };102      };103      config = {104        # C api is broken in regard to thunks105        # https://github.com/NixOS/nix/issues/12800106        parts = let 107          hostName = sysConfig.networking.hostName;108          generator = config.generator;109        in builtins.deepSeq [110          hostName111          secretName112          generator113        ] (builtins.fleetEnsureHostSecret114          hostName115          secretName116          generator);117      };118    }119  );120  secretsFile = pkgs.writeTextFile {121    name = "secrets.json";122    text = toJSON config.system.secretsData;123  };124  useSysusers =125    (config.systemd ? sysusers && config.systemd.sysusers.enable)126    || (config ? userborn && config.userborn.enable);127in128{129  options = {130    secrets = mkOption {131      type = attrsOf secretType;132      default = { };133      apply = mapAttrs (_: secret: secret.parts // {definition = secret;});134      description = "Host-local secrets";135    };136    system.secretsData = mkOption {137      type = unspecified;138      default = mapAttrs (_: s:139        (removeAttrs s.definition ["generator"]) // {140          parts = mapAttrs (_: part: removeAttrs part ["data"]) s.definition.parts;141        }142      ) config.secrets;143      description = "secrets.json contents";144    };145  };146  config = {147    environment.systemPackages = [ pkgs.fleet-install-secrets ];148149    systemd.services.fleet-install-secrets = mkIf useSysusers {150      wantedBy = [ "sysinit.target" ];151      after = [ "systemd-sysusers.service" ];152      restartTriggers = [153        secretsFile154      ];155      aliases = [156        "sops-install-secrets"157        "agenix-install-secrets"158      ];159160      unitConfig.DefaultDependencies = false;161162      serviceConfig = {163        Type = "oneshot";164        RemainAfterExit = true;165        ExecStart = "${pkgs.fleet-install-secrets}/bin/fleet-install-secrets install ${secretsFile}";166      };167    };168    system.activationScripts.decryptSecrets = mkIf (!useSysusers) (169      stringAfter170        (171          [172            # secrets are owned by user/group, thus we need to refer to those173            "users"174            "groups"175            "specialfs"176          ]177          # nixos-impermanence compatibility: secrets are encrypted by host-key,178          # but with impermanence we expect that the host-key is installed by179          # persist-file activation script.180          ++ (optional (config.system.activationScripts ? "persist-files") "persist-files")181        )182        ''183          1>&2 echo "setting up secrets"184          ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets install ${secretsFile}185        ''186    );187  };188}