Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft: nix-darwin module #558

Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

Draft: nix-darwin module #558

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e78d144
Add a nix-darwin module
j-baker May 5, 2024
65547d5
comment out activation script
j-baker May 5, 2024
d0d3169
sops-nix
j-baker May 5, 2024
d82f7e5
uncomment
j-baker May 5, 2024
2e7a862
typo
j-baker May 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
};
homeManagerModules.sops = import ./modules/home-manager/sops.nix;
homeManagerModule = self.homeManagerModules.sops;
darwinModules.sops = import ./modules/nix-darwin/sops.nix;
packages = forAllSystems (system:
import ./default.nix {
pkgs = import nixpkgs {inherit system;};
Expand Down
269 changes: 269 additions & 0 deletions modules/nix-darwin/sops.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,269 @@
{ config, lib, pkgs, ... }:

let
cfg = config.sops;
sops-install-secrets = (pkgs.callPackage ../.. {}).sops-install-secrets;
secretType = lib.types.submodule ({ config, name, ... }: {
options = {
name = lib.mkOption {
type = lib.types.str;
default = name;
description = ''
Name of the file used in /run/user/*/secrets
'';
};

key = lib.mkOption {
type = lib.types.str;
default = name;
description = ''
Key used to lookup in the sops file.
No tested data structures are supported right now.
This option is ignored if format is binary.
'';
};

path = lib.mkOption {
type = lib.types.str;
default = "${cfg.defaultSymlinkPath}/${name}";
description = ''
Path where secrets are symlinked to.
If the default is kept no other symlink is created.
`%r` is replaced by $XDG_RUNTIME_DIR on linux or `getconf
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not exist on macos, right?

DARWIN_USER_TEMP_DIR` on darwin.
'';
};

format = lib.mkOption {
type = lib.types.enum [ "yaml" "json" "binary" "ini" "dotenv" ];
default = cfg.defaultSopsFormat;
description = ''
File format used to decrypt the sops secret.
Binary files are written to the target file as is.
'';
};

mode = lib.mkOption {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also want owner/group here.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there more than these two options (juspay@8580716) that need to be done here in this PR? Because, the installed secrets are still root owned:

-sh-3.2# ls -l /var/root/sops-nix/secrets/
total 16
-r--------  1 root  wheel  13 Jun 19 02:36 example_key
-r--------  1 root  wheel   5 Jun 19 02:36 hello

type = lib.types.str;
default = "0400";
description = ''
Permissions mode of the in octal.
'';
};

sopsFile = lib.mkOption {
type = lib.types.path;
default = cfg.defaultSopsFile;
defaultText = "\${config.sops.defaultSopsFile}";
description = ''
Sops file the secret is loaded from.
'';
};
};
});

pathNotInStore = lib.mkOptionType {
name = "pathNotInStore";
description = "path not in the Nix store";
descriptionClass = "noun";
check = x: !lib.path.hasStorePathPrefix (/. + x);
merge = lib.mergeEqualOption;
};

manifestFor = suffix: secrets: pkgs.writeTextFile {
name = "manifest${suffix}.json";
text = builtins.toJSON {
secrets = builtins.attrValues secrets;
secretsMountPoint = cfg.defaultSecretsMountPoint;
symlinkPath = cfg.defaultSymlinkPath;
keepGenerations = cfg.keepGenerations;
gnupgHome = cfg.gnupg.home;
sshKeyPaths = cfg.gnupg.sshKeyPaths;
ageKeyFile = cfg.age.keyFile;
ageSshKeyPaths = cfg.age.sshKeyPaths;
userMode = true;
logging = {
keyImport = builtins.elem "keyImport" cfg.log;
secretChanges = builtins.elem "secretChanges" cfg.log;
};
};
checkPhase = ''
${sops-install-secrets}/bin/sops-install-secrets -check-mode=${if cfg.validateSopsFiles then "sopsfile" else "manifest"} "$out"
'';
};

manifest = manifestFor "" cfg.secrets;

script = toString (pkgs.writeShellScript "sops-nix-user" ((lib.optionalString (cfg.gnupg.home != null) ''
export SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg
'')
+ (lib.optionalString cfg.age.generateKey ''
if [[ ! -f '${cfg.age.keyFile}' ]]; then
echo generating machine-specific age key...
${pkgs.coreutils}/bin/mkdir -p $(${pkgs.coreutils}/bin/dirname ${cfg.age.keyFile})
# age-keygen sets 0600 by default, no need to chmod.
${pkgs.age}/bin/age-keygen -o ${cfg.age.keyFile}
fi
'' + ''
${sops-install-secrets}/bin/sops-install-secrets -ignore-passwd '${manifest}'
'')));
in {
options.sops = {
logFile = lib.mkOption {
type = lib.types.path;
default = "/var/log/sops.log";
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do applications need to log themselves to files?

description = "The logfile to use for sops-nix";
};

secrets = lib.mkOption {
type = lib.types.attrsOf secretType;
default = {};
description = ''
Secrets to decrypt.
'';
};

defaultSopsFile = lib.mkOption {
type = lib.types.path;
description = ''
Default sops file used for all secrets.
'';
};

defaultSopsFormat = lib.mkOption {
type = lib.types.str;
default = "yaml";
description = ''
Default sops format used for all secrets.
'';
};

validateSopsFiles = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Check all sops files at evaluation time.
This requires sops files to be added to the nix store.
'';
};

defaultSymlinkPath = lib.mkOption {
type = lib.types.str;
default = "/var/root/sops-nix/secrets";
description = ''
Default place where the latest generation of decrypt secrets
can be found.
'';
};

defaultSecretsMountPoint = lib.mkOption {
type = lib.types.str;
default = "%r/secrets.d";
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question here.

description = ''
Default place where generations of decrypted secrets are stored.
'';
};

keepGenerations = lib.mkOption {
type = lib.types.ints.unsigned;
default = 1;
description = ''
Number of secrets generations to keep. Setting this to 0 disables pruning.
'';
};

log = lib.mkOption {
type = lib.types.listOf (lib.types.enum [ "keyImport" "secretChanges" ]);
default = [ "keyImport" "secretChanges" ];
description = "What to log";
};

age = {
keyFile = lib.mkOption {
type = lib.types.nullOr pathNotInStore;
default = null;
example = "/home/someuser/.age-key.txt";
description = ''
Path to age key file used for sops decryption.
'';
};

generateKey = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether or not to generate the age key. If this
option is set to false, the key must already be
present at the specified location.
'';
};

sshKeyPaths = lib.mkOption {
type = lib.types.listOf lib.types.path;
default = [];
description = ''
Paths to ssh keys added as age keys during sops description.
'';
};
};

gnupg = {
home = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "/home/someuser/.gnupg";
description = ''
Path to gnupg database directory containing the key for decrypting the sops file.
'';
};

sshKeyPaths = lib.mkOption {
type = lib.types.listOf lib.types.path;
default = [];
description = ''
Path to ssh keys added as GPG keys during sops description.
This option must be explicitly unset if <literal>config.sops.gnupg.sshKeyPaths</literal> is set.
'';
};
};
};

config = lib.mkIf (cfg.secrets != {}) {
assertions = [{
assertion = cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [] || cfg.age.keyFile != null || cfg.age.sshKeyPaths != [];
message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home";
} {
assertion = !(cfg.gnupg.home != null && cfg.gnupg.sshKeyPaths != []);
message = "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set";
}] ++ lib.optionals cfg.validateSopsFiles (
lib.concatLists (lib.mapAttrsToList (name: secret: [{
assertion = builtins.pathExists secret.sopsFile;
message = "Cannot find path '${secret.sopsFile}' set in sops.secrets.${lib.strings.escapeNixIdentifier name}.sopsFile";
} {
assertion =
builtins.isPath secret.sopsFile ||
(builtins.isString secret.sopsFile && lib.hasPrefix builtins.storeDir secret.sopsFile);
message = "'${secret.sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false";
}]) cfg.secrets)
);

# Darwin: load secrets once on login
launchd.daemons.sops-nix = {
serviceConfig = {
Program = script;
KeepAlive = false;
RunAtLoad = true;
StandardOutPath = cfg.logFile;
StandardErrorPath = cfg.logFile;
};
};

# [re]load secrets on home-manager activation
system.activationScripts.sops-nix.text = let
domain-target = "system";
in ''
/bin/launchctl bootout ${domain-target}/org.nixos.sops-nix && true
/bin/launchctl bootstrap ${domain-target} /Library/LaunchAgents/org.nixos.sops-nix.plist
'';
};
}