diff options
| -rw-r--r-- | default.nix | 13 | ||||
| -rw-r--r-- | lib/asecret.nix | 1 | ||||
| -rw-r--r-- | modules/asecret.nix | 91 | ||||
| -rw-r--r-- | secrets/.gpg-id | 3 | ||||
| -rw-r--r-- | secrets/rootPassword.gpg | bin | 652 -> 620 bytes |
5 files changed, 100 insertions, 8 deletions
diff --git a/default.nix b/default.nix index ba860b9..d50cf14 100644 --- a/default.nix +++ b/default.nix @@ -6,19 +6,18 @@ eval { machines.bob.imports = [ ({ config, pkgs, self, ... }: { imports = [ - "${sources.nixpkgs}/nixos/modules/testing/hardcodedSecret.nix" + ./modules/asecret.nix ./modules/userSecret.nix self.config.outputs.nixosModules.asecret ]; networking.hostName = "bob"; - testing.hardcodedSecret.rootPassword = { - secret.consumer = config.users.users.root.passwordSecret; - content = pkgs.asecret-lib.hashedPassword "rootPassword"; - }; + asecret.rootPassword = { + secret.consumer = config.users.users.root.passwordSecret; + }; - users.users.root.passwordSecret.provider = - config.testing.hardcodedSecret.rootPassword.secret; + users.users.root.passwordSecret.provider = + config.asecret.rootPassword.secret; }) ]; machines.alice = { diff --git a/lib/asecret.nix b/lib/asecret.nix index 3688612..c30f8b4 100644 --- a/lib/asecret.nix +++ b/lib/asecret.nix @@ -11,6 +11,7 @@ packages = [ pkgs.asecret pkgs.nixVersions.nix_2_24 # nix-plugins' `buildInputs' + pkgs.pass ]; shellHook = '' PASSWORD_STORE_DIR=${toString ../.}/secrets; export PASSWORD_STORE_DIR diff --git a/modules/asecret.nix b/modules/asecret.nix new file mode 100644 index 0000000..7c17d99 --- /dev/null +++ b/modules/asecret.nix @@ -0,0 +1,91 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.asecret; + + inherit (lib) mapAttrs' mkOption nameValuePair; + inherit (lib.types) attrsOf enum str submodule; + inherit (pkgs) writeText; + + dispatchType = with pkgs.asecret-lib; { + "hashed-password" = hashedPassword; + "password" = password; + "ssh-key-pair" = ssh-key-pair; + "ssl-certificate" = ssl-certificate; + "wireguard" = wireguard; + }; +in +{ + options.asecret = mkOption { + default = {}; + description = '' + Secrets. These should be used everywhere. + ''; + + example = lib.literalExpression '' + { + mySecret = { + secret.input = { + user = "me"; + mode = "0400"; + restartUnits = [ "myservice.service" ]; + }; + settings.content = "My Secret"; + }; + } + ''; + type = attrsOf (submodule (mod@{ name, options, ... }: { + options = { + mode = mkOption { + description = '' + Mode of the secret file. + ''; + type = str; + default = "0400"; + }; + + owner = mkOption { + description = '' + Linux user owning the secret file. + ''; + type = str; + }; + + group = mkOption { + description = '' + Linux group owning the secret file. + ''; + type = str; + default = options.user.default; + defaultText = "user"; + }; + + type = mkOption { + type = enum (lib.attrNames dispatchType); + description = '' + Type of the secret as a string. + ''; + default = "password"; + }; + + path = mkOption { + type = str; + description = '' + Path where the secret should be located. + ''; + default = name; + }; + + secret = mkOption { + type = config.contracts.secret.provider; + }; + }; + + config = { + inherit (mod.config.secret.input) mode owner group; + secret.output.path = dispatchType.${mod.config.type} mod.config.path; + }; + })); + }; + + meta.buildDocsInSandbox = false; +} diff --git a/secrets/.gpg-id b/secrets/.gpg-id index 5efd92d..0b8ec17 100644 --- a/secrets/.gpg-id +++ b/secrets/.gpg-id @@ -1 +1,2 @@ -Password Storage Key +F0A59CA4EFAF070CC67FDAA31B64B36A24251789 +D154C6B90583A502C7C3DB7AEE1F08C49557B592 diff --git a/secrets/rootPassword.gpg b/secrets/rootPassword.gpg Binary files differindex 88e8525..73c1072 100644 --- a/secrets/rootPassword.gpg +++ b/secrets/rootPassword.gpg |