mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: add format-secrets app to run alejandra on hidden configuration

Browse source
This commit is contained in:
oddlama 2023-03-15 17:03:35 +01:00
parent 8947434a1e
commit 6f8f74cc69
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
7 changed files with 61 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

9
flake.nix
View file

@ -46,8 +46,15 @@
... ...
} @ inputs: } @ inputs:
{ {
# The identities that are used to rekey agenix secrets and to
# decrypt all repository-wide secrets.
secrets = {
masterIdentities = [./secrets/yk1-nix-rage.pub];
extraEncryptionPubkeys = [./secrets/backup.pub];
content = import ./nix/secrets.nix inputs;
};
hosts = import ./nix/hosts.nix inputs; hosts = import ./nix/hosts.nix inputs;
secrets = import ./nix/secrets.nix inputs;
colmena = import ./nix/colmena.nix inputs; colmena = import ./nix/colmena.nix inputs;
overlays = import ./nix/overlay.nix inputs; overlays = import ./nix/overlay.nix inputs;
homeConfigurations = import ./nix/home-manager.nix inputs; homeConfigurations = import ./nix/home-manager.nix inputs;

BIN
hosts/zackbiene/secrets/secrets.nix.age
View file

Binary file not shown.

27
nix/apps.nix
View file

@ -45,4 +45,31 @@ in
set -euo pipefail set -euo pipefail
${mapAttrsToLines generateHostKey self.nodes} ${mapAttrsToLines generateHostKey self.nodes}
''); '');
format-secrets = let
isAbsolutePath = x: substring 0 1 x == "/";
masterIdentityArgs = concatMapStrings (x: ''-i "${x}" '') self.secrets.masterIdentities;
extraEncryptionPubkeys =
concatMapStrings (
x:
if isAbsolutePath x
then ''-R "${x}" ''
else ''-r "${x}" ''
)
self.secrets.extraEncryptionPubkeys;
formatSecret = path: ''
'';
in
mkApp (pkgs.writeShellScript "format-secrets" ''
set -euo pipefail
[[ -d .git ]] && [[ -f flake.nix ]] || { echo "error: Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; }
for f in $(find . -type f -name '*.nix.age'); do
echo "Formatting $f ..."
decrypted=$(${./rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \
|| { echo "error: Failed to decrypt!" >&2; exit 1; }
formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \
|| { echo "error: Failed to format $decrypted!" >&2; exit 1; }
${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \
|| { echo "error: Failed to re-encrypt!" >&2; exit 1; }
done
'');
} }

10
nix/colmena.nix
View file

@ -14,7 +14,7 @@ with nixpkgs.lib; let
nixosHosts = filterAttrs (_: x: x.type == "nixos") self.hosts; nixosHosts = filterAttrs (_: x: x.type == "nixos") self.hosts;
generateColmenaNode = hostName: _: { generateColmenaNode = hostName: _: {
imports = [ imports = [
({ config, ... }: { ({config, ...}: {
# By default, set networking.hostName to the hostName # By default, set networking.hostName to the hostName
networking.hostName = mkDefault hostName; networking.hostName = mkDefault hostName;
# Define global flakes for this system # Define global flakes for this system
@ -27,8 +27,8 @@ with nixpkgs.lib; let
# Setup parameters for Secrets # Setup parameters for Secrets
rekey.forceRekeyOnSystem = "x86_64-linux"; rekey.forceRekeyOnSystem = "x86_64-linux";
rekey.hostPubkey = ../secrets/pubkeys + "/${config.networking.hostName}.pub"; rekey.hostPubkey = ../secrets/pubkeys + "/${config.networking.hostName}.pub";
rekey.masterIdentities = [../secrets/yk1-nix-rage.pub]; rekey.masterIdentities = self.secrets.masterIdentities;
rekey.extraEncryptionPubkeys = [../secrets/backup.pub]; rekey.extraEncryptionPubkeys = self.secrets.extraEncryptionPubkeys;
}) })
(../hosts + "/${hostName}") (../hosts + "/${hostName}")
home-manager.nixosModules.default home-manager.nixosModules.default
@ -46,12 +46,12 @@ in
nodeNixpkgs = mapAttrs (hostName: {system, ...}: self.pkgs.${system}) nixosHosts; nodeNixpkgs = mapAttrs (hostName: {system, ...}: self.pkgs.${system}) nixosHosts;
nodeSpecialArgs = nodeSpecialArgs =
mapAttrs (hostName: _: { mapAttrs (hostName: _: {
nodeSecrets = self.secrets.nodes.${hostName}; nodeSecrets = self.secrets.content.nodes.${hostName};
}) })
nixosHosts; nixosHosts;
specialArgs = { specialArgs = {
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
inherit (self) secrets; secrets = self.secrets.content;
nixos-hardware = nixos-hardware.nixosModules; nixos-hardware = nixos-hardware.nixosModules;
#impermanence = impermanence.nixosModules; #impermanence = impermanence.nixosModules;
}; };

16
nix/rage-decrypt.sh
View file

@ -2,14 +2,20 @@
set -euo pipefail set -euo pipefail
print_out_path=false
if [[ "$1" == "--print-out-path" ]]; then
print_out_path=true
shift
fi
file="$1" file="$1"
[[ "$file" == "/nix/store/"* ]] || { echo "Input must be a store path!"; exit 1; }
shift shift
identities=("$@") identities=("$@")
# Strip .age suffix and store path prefix # Strip .age suffix, and store path prefix or ./ if applicable
basename="${file%".age"}" basename="${file%".age"}"
basename="${basename#*"-"}" [[ "$file" == "/nix/store/"* ]] && basename="${basename#*"-"}"
[[ "$file" == "./"* ]] && basename="${basename#"./"}"
# Calculate a unique content-based identifier (relocations of # Calculate a unique content-based identifier (relocations of
# the source file in the nix store should not affect caching) # the source file in the nix store should not affect caching)
@ -29,5 +35,5 @@ if [[ ! -e "$out" ]]; then
rage -d "${args[@]}" -o "$out" "$file" rage -d "${args[@]}" -o "$out" "$file"
fi fi
# Print decrypted content # Print out path or decrypted content
cat "$out" [[ "$print_out_path" == true ]] && echo "$out" || cat "$out"

4
nix/secrets.nix
View file

@ -17,8 +17,6 @@
... ...
} @ inputs: } @ inputs:
with nixpkgs.lib; let with nixpkgs.lib; let
# The identities that are used to decrypt any repository-wide secrets.
masterIdentities = [../secrets/yk1-nix-rage.pub];
# If the given expression is a bare set, it will be wrapped in a function, # If the given expression is a bare set, it will be wrapped in a function,
# so that the imported file can always be applied to the inputs, similar to # so that the imported file can always be applied to the inputs, similar to
# how modules can be functions or sets. # how modules can be functions or sets.
@ -30,7 +28,7 @@ with nixpkgs.lib; let
importEncrypted = path: importEncrypted = path:
constSet ( constSet (
if builtins.pathExists path if builtins.pathExists path
then builtins.extraBuiltins.rageImportEncrypted masterIdentities path then builtins.extraBuiltins.rageImportEncrypted self.secrets.masterIdentities path
else {} else {}
); );
in in

17
secrets/secrets.nix.age
View file

@ -1,9 +1,10 @@
age-encryption.org/v1 age-encryption.org/v1
-> X25519 vyK4cXkYqS/xic3L1hVfZOm9F2dy41g0k8NtY0S7o0g -> X25519 jCfz22p8CDk1U/maaSqUBJh4KsHNvu2MM54IG9bVuFI
pdm+YdbPD+jg9oRGD1m/bSFwmcI6slqCg8bSSHUgyTg ChPScrrrFWgg8sVFucu7u5af+BXGgYczIpoohiYQSow
-> piv-p256 xqSe8Q A7Z8dLqDdsXdeMFUI0yZy7IOH+VovH4bzc2dRkCKQYoE -> piv-p256 xqSe8Q A64wBcZEPJKnAC9xlBc3gbosqhB9sNN/dFZDQSMcB3Kp
fa0294BZfM4wYXdF1j5BogNpVdgfhnITHIFubQq8G6M 9ksGpeSm8WOELDHLeTrttKA1ynDEwxi+jNRWzxQfxMQ
-> X-grease YRM7Gw8# 0\&Rw -> DiE~<-grease
SXlWKCRgatc1AAoprriaOmKPrw p5tg4SCVvfjsWqai9U2ABMsTwBkIa2waWtGdK4/ulHcCHR8CMvYKS9bjjsw/Z0ZH
--- ybnfcV0t6H0UUl6Oc5z6EYOuLxpeVqh+TcywwgevaFw pwDzZGosmU5vRZxy/HM
aú§­ŹC ˝‹kz  ´DŹMŢYw˙8ß›ż¬”Ú†Î.ńňúOˇ<ŕq.6Ź±vX( ą­ß --- U08NaDLEjVxdVr4TfeFK07h6ZcaZf1XN79X6mQyLmnk
ťĐňhMˇ�ú*$\¸ł1ń?şćg§‰á€Ŕ¨ěs;kÉ»‡ł"ĂÄwß}ő ˙ąČŮ>