wip: feat: draft module to support transparent per-host rekeying

2025-10-10 23:00:39 +02:00 · 2023-01-26 22:37:32 +01:00 · 2023-01-26 22:37:32 +01:00 · 24a8795226
commit 24a8795226
parent 2a6e6c4ad1
3 changed files with 45 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -1 +1,3 @@
 Infrastructure.
+
+Encrypt secrets using `rage -e -R secrets/recipients.txt plaintext > secret.age`.
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@ -9,6 +9,7 @@
  '';
 in {
  imports = [
+    ./rekey.nix
    ./inputrc.nix
    ./issue.nix
    ./nix.nix
--- a/modules/core/rekey.nix
+++ b/modules/core/rekey.nix
@ -0,0 +1,42 @@
+{
+  lib,
+  options,
+  config,
+  pkgs,
+  ...
+}:
+let
+  rekeySecrets = ageLikeSecrets: let
+    #srcs = map (x: x.file) age; [./secrets/backup.txt ./secrets/recipients.txt];
+    secretFiles = [ ../../secrets/backup.txt ../../secrets/recipients.txt ];
+	masterIdentityPaths = [ ../../secrets/yk1-nix-rage.txt ../../secrets/backup.txt ];
+	masterIdentities = builtins.concatStringsSep " " (map (x: "-i ${x}") masterIdentityPaths);
+	rekeyCommand = secret: ''
+	  ${pkgs.rage}/bin/rage -d ${masterIdentities} ${secret} \
+	    | ${pkgs.rage}/bin/rage -e -i ${rekey.key} -o "$out/${builtins.baseNameOf secret}"
+	  '';
+    rekeyedSecrets = pkgs.stdenv.mkDerivation {
+      name = "host-secrets";
+	  dontUnpack = true;
+	  dontConfigure = true;
+	  dontBuild = true;
+      installPhase = ''
+	    set -euo pipefail
+	    mkdir "$out"
+        # Temporarily
+		${builtins.concatStringsSep "\n" (map rekeyCommand ageLikeSecrets)}
+      '';
+    };
+  in
+    rekeyedSecrets;
+in {
+  config.environment.systemPackages = with pkgs; [rage];
+  # TODO age.identityPaths = [ (generateKeyForHost config.network.hostName) ];
+
+  # Produce a rekeyed age secret for each of the secrets defined in rekey secrets
+  options.rekey.secrets = options.age.secrets;
+  config.age.secrets = rekeySecrets config.rekey.secrets;
+}
+
+#rekey.secrets.my_secret.file = ./secrets/somekey.age;
+#pwdfile = rekey.secrets.mysecret.path;