Skip to content

Commit

Permalink
feat(modules): Add secrets as nixosModules
Browse files Browse the repository at this point in the history
  • Loading branch information
@MartinNikov @PetarKirov
MartinNikov authored and PetarKirov committed May 28, 2024
1 parent 1b9dc78 commit 23ba5a7
Show file tree
Hide file tree
Showing 2 changed files with 118 additions and 0 deletions.
1 change: 1 addition & 0 deletions modules/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,6 @@
./grafana-agent-flow
./pyroscope
./host-info.nix
./secrets.nix
];
}
117 changes: 117 additions & 0 deletions modules/secrets.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
{withSystem, ...}: {
flake.nixosModules.mcl-secrets = {
config,
options,
lib,
dirs,
...
}: let
eachServiceCfg = config.mcl.secrets.services;
isDebugVM = config.mcl.host-info.isDebugVM;

sshKey = config.mcl.host-info.sshKey;

ageSecretOpts =
builtins.head
(builtins.head
options.age.secrets.type.nestedTypes.elemType.getSubModules)
.imports;

secretDir = let
machineConfigPath = config.mcl.host-info.configPath;
machineSecretDir = machineConfigPath + "/secrets";
vmConfig = dirs.modules + "/default-vm-config";
vmSecretDir = vmConfig + "/secrets";
in
if isDebugVM
then vmSecretDir
else machineSecretDir;
in {
options.mcl.secrets = with lib; {
services = mkOption {
type = types.attrsOf (types.submodule ({config, ...}: let
serviceName = config._module.args.name;
in {
options = {
encryptedSecretDir = mkOption {
type = types.path;
default = secretDir;
};
secrets = mkOption {
default = {};
type = types.attrsOf (types.submoduleWith {
modules = [
ageSecretOpts
({name, ...}: let
secretName = name;
in {
config = {
name = "${serviceName}/${secretName}";
file =
lib.mkDefault (config.encryptedSecretDir + "/${serviceName}/${secretName}.age");
};
})
];
});
};
extraGroups = mkOption {
type = types.listOf types.str;
default = [];
example = ["devops" "secretsAccess"];
description = "Groups which have access to decrypt the secrets.";
};
extraKeys = mkOption {
type = types.listOf types.str;
default = [];
example = ["ssh-ed25519 AAAAC3Nza" "ssh-ed25519 AAAACSNss"];
description = "Groups which have access to decrypt the secrets.";
};
nix-file = mkOption {
default =
if (pathIsRegularFile (config.encryptedSecretDir + "/${serviceName}/secrets.nix"))
then config.encryptedSecretDir + "/${serviceName}/secrets.nix"
else
builtins.toFile "${serviceName}-secrets.nix" ''
let
hostKey = ["${sshKey}"];
extraKeys = ["${concatStringsSep "\"\"" config.extraKeys}"];
in {
${concatMapStringsSep "\n"
(n: "\"${n}.age\".publicKeys = hostKey ++ extraKeys;")
(builtins.attrNames config.secrets)}
}
'';

# groupsKeys = ["${concatStringsSep "\"\"" (mcl-modules.libs.utils.allUserKeysForGroup config.extraGroups)}"];

type = types.path;
};
};
}));
default = {};
example = {
service1.secrets.secretA = {};
service1.secrets.secretB = {};
service2.secrets.secretC = {};
cachix-deploy.secrets.token = {
path = "/etc/cachix-agent.token";
};
};
description = mdDoc "Per-service attrset of encryptedSecretDir and secrets";
};
};

config = lib.mkIf (eachServiceCfg != {}) {
age.secrets = lib.pipe eachServiceCfg [
(lib.mapAttrsToList (serviceName: service:
lib.mapAttrsToList (
secretName: config:
lib.nameValuePair "${serviceName}/${secretName}" config
)
service.secrets))
lib.concatLists
lib.listToAttrs
];
};
};
}

0 comments on commit 23ba5a7

Please sign in to comment.