From 24a87952260b4ce02b4866381544da007f381458 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Thu, 26 Jan 2023 22:37:32 +0100
Subject: [PATCH] wip: feat: draft module to support transparent per-host
 rekeying

---
 README.md                |  2 ++
 modules/core/default.nix |  1 +
 modules/core/rekey.nix   | 42 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 modules/core/rekey.nix

diff --git a/README.md b/README.md
index 1301067..992dca9 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,3 @@
 Infrastructure.
+
+Encrypt secrets using `rage -e -R secrets/recipients.txt plaintext > secret.age`.
diff --git a/modules/core/default.nix b/modules/core/default.nix
index af9331d..f276224 100644
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@@ -9,6 +9,7 @@
   '';
 in {
   imports = [
+    ./rekey.nix
     ./inputrc.nix
     ./issue.nix
     ./nix.nix
diff --git a/modules/core/rekey.nix b/modules/core/rekey.nix
new file mode 100644
index 0000000..f332f98
--- /dev/null
+++ b/modules/core/rekey.nix
@@ -0,0 +1,42 @@
+{
+  lib,
+  options,
+  config,
+  pkgs,
+  ...
+}:
+let
+  rekeySecrets = ageLikeSecrets: let
+    #srcs = map (x: x.file) age; [./secrets/backup.txt ./secrets/recipients.txt];
+    secretFiles = [ ../../secrets/backup.txt ../../secrets/recipients.txt ];
+	masterIdentityPaths = [ ../../secrets/yk1-nix-rage.txt ../../secrets/backup.txt ];
+	masterIdentities = builtins.concatStringsSep " " (map (x: "-i ${x}") masterIdentityPaths);
+	rekeyCommand = secret: ''
+	  ${pkgs.rage}/bin/rage -d ${masterIdentities} ${secret} \
+	    | ${pkgs.rage}/bin/rage -e -i ${rekey.key} -o "$out/${builtins.baseNameOf secret}"
+	  '';
+    rekeyedSecrets = pkgs.stdenv.mkDerivation {
+      name = "host-secrets";
+	  dontUnpack = true;
+	  dontConfigure = true;
+	  dontBuild = true;
+      installPhase = ''
+	    set -euo pipefail
+	    mkdir "$out"
+        # Temporarily
+		${builtins.concatStringsSep "\n" (map rekeyCommand ageLikeSecrets)}
+      '';
+    };
+  in
+    rekeyedSecrets;
+in {
+  config.environment.systemPackages = with pkgs; [rage];
+  # TODO age.identityPaths = [ (generateKeyForHost config.network.hostName) ];
+
+  # Produce a rekeyed age secret for each of the secrets defined in rekey secrets
+  options.rekey.secrets = options.age.secrets;
+  config.age.secrets = rekeySecrets config.rekey.secrets;
+}
+
+#rekey.secrets.my_secret.file = ./secrets/somekey.age;
+#pwdfile = rekey.secrets.mysecret.path;