-
Notifications
You must be signed in to change notification settings - Fork 133
/
default.nix
163 lines (154 loc) · 5.05 KB
/
default.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.sops;
users = config.users.users;
sops-install-secrets = (pkgs.callPackage ../.. {}).sops-install-secrets;
secretType = types.submodule ({ config, ... }: {
options = {
name = mkOption {
type = types.str;
default = config._module.args.name;
description = ''
Name of the file used in /run/secrets
'';
};
key = mkOption {
type = types.str;
default = config._module.args.name;
description = ''
Key used to lookup in the sops file.
No tested data structures are supported right now.
This option is ignored if format is binary.
'';
};
path = assert assertMsg (builtins.pathExists config.sopsFile) ''
Cannot find path '${config.sopsFile}' set in 'sops.secrets."${config._module.args.name}".sopsFile'
'';
mkOption {
type = types.str;
default = "/run/secrets/${config.name}";
description = ''
Path where secrets are symlinked to.
If the default is kept no symlink is created.
'';
};
format = mkOption {
type = types.enum ["yaml" "json" "binary"];
default = cfg.defaultSopsFormat;
description = ''
File format used to decrypt the sops secret.
Binary files are written to the target file as is.
'';
};
mode = mkOption {
type = types.str;
default = "0400";
description = ''
Permissions mode of the in octal.
'';
};
owner = mkOption {
type = types.str;
default = "root";
description = ''
User of the file.
'';
};
group = mkOption {
type = types.str;
default = users.${config.owner}.group;
description = ''
Group of the file.
'';
};
sopsFile = mkOption {
type = types.either types.str types.path;
default = cfg.defaultSopsFile;
description = ''
Sops file the secret is loaded from.
'';
};
};
});
manifest = builtins.toFile "manifest.json" (builtins.toJSON {
secrets = builtins.attrValues cfg.secrets;
# Does this need to be configurable?
secretsMountPoint = "/run/secrets.d";
symlinkPath = "/run/secrets";
inherit (cfg) gnupgHome sshKeyPaths;
});
checkedManifest = pkgs.runCommandNoCC "checked-manifest.json" {
nativeBuildInputs = [ sops-install-secrets ];
} ''
sops-install-secrets -check-mode=${if cfg.validateSopsFiles then "sopsfile" else "manifest"} ${manifest}
cp ${manifest} $out
'';
in {
options.sops = {
secrets = mkOption {
type = types.attrsOf secretType;
default = {};
description = ''
Path where the latest secrets are mounted to.
'';
};
defaultSopsFile = mkOption {
type = types.either types.str types.path;
description = ''
Default sops file used for all secrets.
'';
};
defaultSopsFormat = mkOption {
type = types.str;
default = "yaml";
description = ''
Default sops format used for all secrets.
'';
};
validateSopsFiles = mkOption {
type = types.bool;
default = true;
description = ''
Check all sops files at evaluation time.
This requires sops files to be added to the nix store.
'';
};
gnupgHome = mkOption {
type = types.nullOr types.str;
default = null;
example = "/root/.gnupg";
description = ''
Path to gnupg database directory containing the key for decrypting sops file.
'';
};
sshKeyPaths = mkOption {
type = types.listOf types.path;
default = if config.services.openssh.enable then
map (e: e.path) (lib.filter (e: e.type == "rsa") config.services.openssh.hostKeys)
else [];
description = ''
Path to ssh keys added as GPG keys during sops description.
This option must be explicitly unset if <literal>config.sops.sshKeyPaths</literal>.
'';
};
};
config = mkIf (cfg.secrets != {}) {
assertions = [{
assertion = cfg.gnupgHome != null -> cfg.sshKeyPaths == [];
message = "Configuration options sops.gnupgHome and sops.sshKeyPaths cannot be set both at the same time";
} {
assertion = cfg.gnupgHome == null -> cfg.sshKeyPaths != [];
message = "Either sops.sshKeyPaths and sops.gnupgHome must be set";
}] ++ map (name: let
inherit (cfg.secrets.${name}) sopsFile;
in {
assertion = cfg.validateSopsFiles -> builtins.isPath sopsFile;
message = "${sopsFile} is not in the nix store. Either add it to the nix store or set `sops.validateSopsFiles` to false";
}) (builtins.attrNames cfg.secrets);
system.activationScripts.setup-secrets = stringAfter [ "users" "groups" ] ''
echo setting up secrets...
${optionalString (cfg.gnupgHome != null) "SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg"} ${sops-install-secrets}/bin/sops-install-secrets ${checkedManifest}
'';
};
}