nixos-config/modules/secrets.nix

{ pkgs, config, lib, inputs, ... }:
with lib;
with types;
let
  password-store = config.secretsConfig.password-store;
  secret = { name, ... }: {
    options = {
      encrypted = mkOption {
        type = path;
        default = "${password-store}/${name}.gpg";
      };
      decrypted = mkOption {
        type = path;
        default = "/var/secrets/${name}";
      };
      decrypt = mkOption {
        default = pkgs.writeShellScript "gpg-decrypt" ''
          set -euo pipefail
          export GPG_TTY="$(tty)"
          ${pkgs.gnupg}/bin/gpg-connect-agent updatestartuptty /bye 1>&2
          ${pkgs.gnupg}/bin/gpg --batch --no-tty --decrypt
        '';
      };
      user = mkOption {
        type = str;
        default = "balsoft";
      };
      owner = mkOption {
        type = str;
        default = "root:root";
      };
      permissions = mkOption {
        type = lib.types.addCheck lib.types.str
          (perm: !isNull (builtins.match "[0-7]{3}" perm));
        default = "400";
      };
      services = mkOption {
        type = listOf str;
        default = [ "${name}" ];
      };
      __toString = mkOption {
        readOnly = true;
        default = s: s.decrypted;
      };
    };
  };

  activate-secrets = pkgs.writeShellApplication {
    name = "activate-secrets";
    text = ''
      set -euo pipefail
      # Make sure card is available and unlocked
      echo fetch | gpg --card-edit --no-tty --command-fd=0
      gpg --card-status
      SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
      export SSH_AUTH_SOCK
      if [ -d "${password-store}/.git" ]; then
        cd "${password-store}"; git pull
      else
        git clone ${
          lib.escapeShellArg config.secretsConfig.repo
        } "${password-store}"
      fi
      gpg --decrypt < ${password-store}/email/balsoft@balsoft.ru.gpg > /dev/null
      /run/wrappers/bin/sudo systemctl restart ${allServices}
    '';
    runtimeInputs = [ pkgs.gnupg pkgs.git pkgs.systemd pkgs.openssh ];

  };
  decrypt = name: cfg:
    with cfg; {
      "${name}-secrets" = rec {

        wantedBy = [ "multi-user.target" ];

        requires = [ "user@1000.service" ];
        after = requires;

        preStart = ''
          stat '${encrypted}'
          mkdir -p '${builtins.dirOf decrypted}'
        '';

        script = ''
          if cat '${encrypted}' | /run/wrappers/bin/sudo -u ${user} ${cfg.decrypt} > '${decrypted}.tmp'; then
            mv -f '${decrypted}.tmp' '${decrypted}'
            chown '${owner}' '${decrypted}'
            chmod '${permissions}' '${decrypted}'
          else
            echo "Failed to decrypt the secret"
            rm '${decrypted}.tmp'
            if [[ -f '${decrypted}' ]]; then
              echo "The decrypted file exists anyways, not failing"
              exit 0
            else
              exit 1
            fi
          fi
        '';

        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = "yes";
        };
      };
    };

  addDependencies = name: cfg:
    with cfg;
    genAttrs services (service: rec {
      requires = [ "${name}-secrets.service" ];
      after = requires;
      bindsTo = requires;
    });

  mkServices = name: cfg: [ (decrypt name cfg) (addDependencies name cfg) ];

  allServices = toString (map (name: "${name}-envsubst.service")
    (builtins.attrNames config.secrets-envsubst)
    ++ map (name: "${name}-secrets.service")
    (builtins.attrNames config.secrets));
in {
  options = {
    secrets = lib.mkOption {
      type = attrsOf (submodule secret);
      default = { };
    };

    secretsConfig = {
      password-store = lib.mkOption {
        type = lib.types.path;
        default = "/home/balsoft/.local/share/password-store";
      };
      repo = lib.mkOption {
        type = str;
        default = "ssh://git@github.com/balsoft/pass";
      };
    };
  };

  config = {

    systemd.services =
      mkMerge (concatLists (mapAttrsToList mkServices config.secrets));

    security.sudo.extraRules = [{
      users = [ "balsoft" ];
      commands = [{
        command = "/run/current-system/sw/bin/systemctl restart ${allServices}";
        options = [ "NOPASSWD" ];
      }];
    }];

    persist.derivative.directories = [ "/var/secrets" password-store ];

    home-manager.users.balsoft = {
      systemd.user.services.activate-secrets = {
        Service = {
          ExecStart = "${activate-secrets}/bin/activate-secrets";
          Type = "oneshot";
        };
        Unit = { PartOf = [ "graphical-session-pre.target" ]; };
        Install.WantedBy = [ "graphical-session-pre.target" ];
      };
      systemd.user.services.pass-store-sync = {
        Service = {
          Environment = [
            "PASSWORD_STORE_DIR=${password-store}"
            "PATH=${
              lib.makeBinPath [ pkgs.pass pkgs.inotify-tools pkgs.gnupg ]
            }"
          ];
          ExecStart = toString (pkgs.writeShellScript "pass-store-sync" ''
            export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
            while inotifywait "$PASSWORD_STORE_DIR" -r -e move -e close_write -e create -e delete --exclude .git; do
              sleep 0.1
              pass git add --all
              pass git commit -m "Change"
              pass git pull --rebase
              pass git push
            done
          '');
        };
        Unit = rec {
          After = [ "activate-secrets.service" ];
          Wants = After;
        };
        Install.WantedBy = [ "graphical-session-pre.target" ];
      };
      programs.password-store = {
        enable = true;
        package = pkgs.pass-wayland;
        settings.PASSWORD_STORE_DIR = password-store;
      };
    };
  };
}
flake 2020-04-27 05:39:00 +04:00			`{ pkgs, config, lib, inputs, ... }:`
Update passwords 2020-02-17 17:00:59 +04:00			`with lib;`
			`with types;`
			`let`
Add openvpn 2022-06-27 23:48:31 +04:00			`password-store = config.secretsConfig.password-store;`
Finally switch to new secret management system 2021-01-11 18:09:34 +04:00			`secret = { name, ... }: {`
			`options = {`
			`encrypted = mkOption {`
			`type = path;`
Move password store to XDG location 2021-06-15 02:10:46 +04:00			`default = "${password-store}/${name}.gpg";`
Finally switch to new secret management system 2021-01-11 18:09:34 +04:00			`};`
			`decrypted = mkOption {`
			`type = path;`
			`default = "/var/secrets/${name}";`
			`};`
			`decrypt = mkOption {`
			`default = pkgs.writeShellScript "gpg-decrypt" ''`
			`set -euo pipefail`
			`export GPG_TTY="$(tty)"`
			`${pkgs.gnupg}/bin/gpg-connect-agent updatestartuptty /bye 1>&2`
			`${pkgs.gnupg}/bin/gpg --batch --no-tty --decrypt`
			`'';`
			`};`
			`user = mkOption {`
			`type = str;`
			`default = "balsoft";`
			`};`
			`owner = mkOption {`
			`type = str;`
			`default = "root:root";`
			`};`
			`permissions = mkOption {`
			`type = lib.types.addCheck lib.types.str`
			`(perm: !isNull (builtins.match "[0-7]{3}" perm));`
			`default = "400";`
			`};`
			`services = mkOption {`
			`type = listOf str;`
Add wireguard 2021-03-16 22:34:46 +04:00			`default = [ "${name}" ];`
Finally switch to new secret management system 2021-01-11 18:09:34 +04:00			`};`
			`__toString = mkOption {`
			`readOnly = true;`
			`default = s: s.decrypted;`
			`};`
secret.nix update 2020-04-29 03:18:36 +04:00			`};`
Finally switch to new secret management system 2021-01-11 18:09:34 +04:00			`};`

Fix audiotube 2023-02-22 00:34:25 +04:00			`activate-secrets = pkgs.writeShellApplication {`
			`name = "activate-secrets";`
			`text = ''`
			`set -euo pipefail`
			`# Make sure card is available and unlocked`
			`echo fetch \| gpg --card-edit --no-tty --command-fd=0`
			`gpg --card-status`
			`SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"`
			`export SSH_AUTH_SOCK`
			`if [ -d "${password-store}/.git" ]; then`
			`cd "${password-store}"; git pull`
			`else`
			`git clone ${`
			`lib.escapeShellArg config.secretsConfig.repo`
			`} "${password-store}"`
			`fi`
			`gpg --decrypt < ${password-store}/email/balsoft@balsoft.ru.gpg > /dev/null`
			`/run/wrappers/bin/sudo systemctl restart ${allServices}`
			`'';`
			`runtimeInputs = [ pkgs.gnupg pkgs.git pkgs.systemd pkgs.openssh ];`
Finally make pass-secret-service somewhat work 2021-10-23 20:48:36 +04:00
Fix audiotube 2023-02-22 00:34:25 +04:00			`};`
Finally switch to new secret management system 2021-01-11 18:09:34 +04:00			`decrypt = name: cfg:`
			`with cfg; {`
			`"${name}-secrets" = rec {`

Refactor, add librem5 2023-02-16 18:51:34 +04:00			`wantedBy = [ "multi-user.target" ];`
Enable secrets on startup 2022-06-21 17:42:10 +04:00
MOAR SECRETS STUFF 2021-01-11 21:51:09 +04:00			`requires = [ "user@1000.service" ];`
Finally switch to new secret management system 2021-01-11 18:09:34 +04:00			`after = requires;`

			`preStart = ''`
MOAR SECRETS STUFF 2021-01-11 21:51:09 +04:00			`stat '${encrypted}'`
Finally switch to new secret management system 2021-01-11 18:09:34 +04:00			`mkdir -p '${builtins.dirOf decrypted}'`
			`'';`

			`script = ''`
			`if cat '${encrypted}' \| /run/wrappers/bin/sudo -u ${user} ${cfg.decrypt} > '${decrypted}.tmp'; then`
			`mv -f '${decrypted}.tmp' '${decrypted}'`
			`chown '${owner}' '${decrypted}'`
			`chmod '${permissions}' '${decrypted}'`
			`else`
			`echo "Failed to decrypt the secret"`
			`rm '${decrypted}.tmp'`
Keep secrets when decryption is impossible 2021-09-12 21:14:11 +04:00			`if [[ -f '${decrypted}' ]]; then`
			`echo "The decrypted file exists anyways, not failing"`
			`exit 0`
			`else`
			`exit 1`
			`fi`
Finally switch to new secret management system 2021-01-11 18:09:34 +04:00			`fi`
			`'';`

			`serviceConfig = {`
			`Type = "oneshot";`
			`RemainAfterExit = "yes";`
secret.nix update 2020-04-29 03:18:36 +04:00			`};`
Update passwords 2020-02-17 17:00:59 +04:00			`};`
			`};`
Finally switch to new secret management system 2021-01-11 18:09:34 +04:00
			`addDependencies = name: cfg:`
			`with cfg;`
			`genAttrs services (service: rec {`
Add wireguard 2021-03-16 22:34:46 +04:00			`requires = [ "${name}-secrets.service" ];`
Finally switch to new secret management system 2021-01-11 18:09:34 +04:00			`after = requires;`
MOAR SECRETS STUFF 2021-01-11 21:51:09 +04:00			`bindsTo = requires;`
Finally switch to new secret management system 2021-01-11 18:09:34 +04:00			`});`

			`mkServices = name: cfg: [ (decrypt name cfg) (addDependencies name cfg) ];`
MOOOOAAAAAR SECRETS 2021-01-12 16:13:03 +04:00
Set up deploy-rs 2021-01-23 23:21:51 +04:00			`allServices = toString (map (name: "${name}-envsubst.service")`
MOOOOAAAAAR SECRETS 2021-01-12 16:13:03 +04:00			`(builtins.attrNames config.secrets-envsubst)`
			`++ map (name: "${name}-secrets.service")`
			`(builtins.attrNames config.secrets));`
Finally switch to new secret management system 2021-01-11 18:09:34 +04:00			`in {`
Refactor, add librem5 2023-02-16 18:51:34 +04:00			`options = {`
			`secrets = lib.mkOption {`
			`type = attrsOf (submodule secret);`
			`default = { };`
Add openvpn 2022-06-27 23:48:31 +04:00			`};`
Refactor, add librem5 2023-02-16 18:51:34 +04:00
			`secretsConfig = {`
			`password-store = lib.mkOption {`
			`type = lib.types.path;`
			`default = "/home/balsoft/.local/share/password-store";`
			`};`
			`repo = lib.mkOption {`
			`type = str;`
			`default = "ssh://git@github.com/balsoft/pass";`
			`};`
Update documentation 2021-06-12 02:21:24 +04:00			`};`
			`};`

Refactor, add librem5 2023-02-16 18:51:34 +04:00			`config = {`

			`systemd.services =`
			`mkMerge (concatLists (mapAttrsToList mkServices config.secrets));`
MOAR SECRETS STUFF 2021-01-11 21:51:09 +04:00
Refactor, add librem5 2023-02-16 18:51:34 +04:00			`security.sudo.extraRules = [{`
			`users = [ "balsoft" ];`
			`commands = [{`
			`command = "/run/current-system/sw/bin/systemctl restart ${allServices}";`
			`options = [ "NOPASSWD" ];`
			`}];`
MOAR SECRETS STUFF 2021-01-11 21:51:09 +04:00			`}];`
Finally switch to new secret management system 2021-01-11 18:09:34 +04:00
Refactor, add librem5 2023-02-16 18:51:34 +04:00			`persist.derivative.directories = [ "/var/secrets" password-store ];`
tmpfs root for x2100-laptop 2021-06-08 20:35:21 +04:00
Refactor, add librem5 2023-02-16 18:51:34 +04:00			`home-manager.users.balsoft = {`
			`systemd.user.services.activate-secrets = {`
			`Service = {`
			`ExecStart = "${activate-secrets}/bin/activate-secrets";`
			`Type = "oneshot";`
			`};`
			`Unit = { PartOf = [ "graphical-session-pre.target" ]; };`
			`Install.WantedBy = [ "graphical-session-pre.target" ];`
Finally make pass-secret-service somewhat work 2021-10-23 20:48:36 +04:00			`};`
Refactor, add librem5 2023-02-16 18:51:34 +04:00			`systemd.user.services.pass-store-sync = {`
			`Service = {`
			`Environment = [`
			`"PASSWORD_STORE_DIR=${password-store}"`
			`"PATH=${`
			`lib.makeBinPath [ pkgs.pass pkgs.inotify-tools pkgs.gnupg ]`
			`}"`
			`];`
			`ExecStart = toString (pkgs.writeShellScript "pass-store-sync" ''`
			`export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"`
			`while inotifywait "$PASSWORD_STORE_DIR" -r -e move -e close_write -e create -e delete --exclude .git; do`
			`sleep 0.1`
			`pass git add --all`
			`pass git commit -m "Change"`
			`pass git pull --rebase`
			`pass git push`
			`done`
			`'');`
			`};`
			`Unit = rec {`
			`After = [ "activate-secrets.service" ];`
			`Wants = After;`
			`};`
			`Install.WantedBy = [ "graphical-session-pre.target" ];`
Add password store sync 2021-10-29 20:57:57 +04:00			`};`
Refactor, add librem5 2023-02-16 18:51:34 +04:00			`programs.password-store = {`
			`enable = true;`
			`package = pkgs.pass-wayland;`
			`settings.PASSWORD_STORE_DIR = password-store;`
Add password store sync 2021-10-29 20:57:57 +04:00			`};`
Move password store to XDG location 2021-06-15 02:10:46 +04:00			`};`
Update passwords 2020-02-17 17:00:59 +04:00			`};`
			`}`