`faec7071817b`

source

modules/secrets.nix5.6 KiBsource history
1{2  lib,3  ...4}:5let6  inherit (lib.options) mkOption literalExpression;7  inherit (lib.types)8    nullOr9    listOf10    str11    bool12    attrsOf13    submodule14    functionTo15    package16    uniq17    ;18  inherit (lib.strings) concatStringsSep;1920  sharedSecret =21    { config, ... }:22    {23      options = {24        expectedOwners = mkOption {25          type = listOf str;26          description = ''27            Specifies the list of hosts authorized to decrypt and access this shared secret.28          '';29        };30        regenerateOnOwnerAdded = mkOption {31          type = bool;32          description = ''33            Controls whether the secret must be regenerated when new owners are added.3435            Set to true when the secret contains owner-specific references (e.g., X.509 Subject Alternative Names).36            When true, adding a new owner will trigger secret regeneration instead of simple re-encryption.37          '';38        };39        regenerateOnOwnerRemoved = mkOption {40          default = config.regenerateOnOwnerAdded;41          defaultText = literalExpression "regenerateOnOwnerAdded";42          type = bool;43          description = ''44            Determines secret behavior when owners are removed from the configuration.4546            Typically mirrors regenerateOnOwnerAdded. Override cautiously.47            Set to false if host permissions are revoked through alternative mechanisms like firewall rules.48          '';49        };50        allowDifferent = mkOption {51          type = bool;52          description = ''53            When adding owner, do not update secret value for other owners, instead creating a new distribution54          '';55        };56        generator = mkOption {57          type = uniq (nullOr (functionTo package));58          description = ''59            Function evaluating to nix derivation responsible for (re)generating the secret's content.6061            An input to this function - `pkgs` of a generator host with implementation-defined representation of extra encryption data,62            use `mkSecretGenerator` helpers to implement own generators.63          '';64          default = null;65        };66      };67    };68in69{70  options = {71    secrets = mkOption {72      type = attrsOf (submodule sharedSecret);73      default = { };74      description = "Collection of secrets shared across multiple hosts with configurable ownership";75    };76  };77  config = {78    nixpkgs.overlays = [79      (final: prev: {80        mkSecretGenerators =81          { recipients }:82          rec {83            # TODO: Merge both generators to one with consistent options syntax?84            # Impure generator is built on local machine, then built closure is copied to remote machine,85            # and then it is ran in inpure context, so that this generator may access HSMs and other things.86            mkImpureSecretGenerator =87              {88                script,89                # If set - script will be run on remote machine, otherwise it will be run with fleet project in CWD90                # (Some secrets-encryption-in-git/managed PKI solution is expected)91                impureOn ? null,92                generationData ? null,93                parts,94              }:95              (prev.writeShellScript "impureGenerator.sh" ''96                #!/bin/sh97                set -eu9899                export GENERATOR_HELPER_IDENTITIES="${concatStringsSep "\n" recipients}";100                export PATH=${final.fleet-generator-helper}/bin:$PATH101102                # TODO: Provide tempdir from outside, to make it securely erasurable as needed?103                tmp=$(mktemp -d)104                cd $tmp105                # cd /var/empty106107                created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")108109                ${script}110111                if ! test -d $out; then112                  echo "impure generator script did not produce expected \$out output"113                  exit 1114                fi115116                echo -n $created_at > $out/created_at117                echo -n SUCCESS > $out/marker118              '').overrideAttrs119                (old: {120                  passthru = {121                    inherit impureOn parts generationData;122                    generatorKind = "impure";123                  };124                });125            # Pure generators are disabled for now126            mkSecretGenerator = { script, parts }: mkImpureSecretGenerator { inherit script parts; };127128            # TODO: Implement consistent naming129            # Pure secret generator is supposed to be run entirely by nix, using `__impure` derivation type...130            # But for now, it is ran the same way as `impureSecretGenerator`, but on the local machine.131            # mkSecretGenerator = {script}:132            #   (prev.writeShellScript "generator.sh" ''133            #     #!/bin/sh134            #     set -eu135            #     # TODO: make nix daemon build secret, not just the script.136            #     cd /var/empty137            #138            #     created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")139            #140            #     ${script}141            #     if ! test -d $out; then142            #       echo "impure generator script did not produce expected \$out output"143            #       exit 1144            #     fi145            #146            #     echo -n $created_at > $out/created_at147            #     echo -n SUCCESS > $out/marker148            #   '')149            #   .overrideAttrs (old: {150            #     passthru = {151            #       generatorKind = "pure";152            #     };153            #     # TODO: make nix daemon build secret, not just the script.154            #     # __impure = true;155            #   });156          };157      })158    ];159  };160}