sad: this will be useless, but it has been a nice journey.

2025-10-11 07:10:39 +02:00 · 2023-01-28 02:51:13 +01:00 · 2023-01-28 02:51:13 +01:00 · 9d1253c03b
commit 9d1253c03b
parent 92cf272cd1
3 changed files with 86 additions and 69 deletions
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@ -33,7 +33,7 @@ in {
  rekey.agePlugins = with pkgs; [age-plugin-yubikey];

  rekey.secrets.yolo.file = ./yolo.age;
-  environment.etc."YOLO" = config.rekey.secrets.yolo.path;
+  environment.etc."YOLO".source = config.rekey.secrets.yolo.path;

  home-manager = {
    useGlobalPkgs = true;
--- a/modules/core/rekey.nix
+++ b/modules/core/rekey.nix
@ -6,11 +6,13 @@
  ...
 }:
 with lib; {
-  config.environment.systemPackages = with pkgs; [rage];
-  config.age = {
-    secrets = let
-      rekeyedSecrets = lazyDerivation {
-        derivation = pkgs.stdenv.mkDerivation rec {
+  # TODO add /run to sandbox only for THIS derivation
+  # TODO interactiveness how
+  # TODO yubikeySupport=true convenience option
+  # TODO rekeyed secrets should only strip store path, not do basename
+
+  config = let
+    rekeyedSecrets = pkgs.stdenv.mkDerivation rec {
      pname = "host-secrets";
      version = "1.0.0";
      description = "Rekeyed secrets for this host.";
@ -30,12 +32,14 @@ with lib; {
        masterIdentityArgs = concatMapStrings (x: ''-i "${x}" '') config.rekey.masterIdentityPaths;
        rekeyCommand = secret: ''
          echo "Rekeying ${secret}" >&2
-                    ${pkgs.rage}/bin/rage ${masterIdentityArgs} -d ${secret}
-                      | ${pkgs.rage}/bin/rage -r "${hostPubkeyStr}" -o "$out/${baseNameOf secret}" -e
+          ${pkgs.rage}/bin/rage ${masterIdentityArgs} -d ${secret} \
+            | ${pkgs.rage}/bin/rage -r "${hostPubkeyStr}" -o "$out/${baseNameOf secret}" -e \
+            || { echo 1 > $out/status ; echo "error while rekeying secret!" | ${pkgs.rage}/bin/rage -r "${hostPubkeyStr}" -o "$out/${baseNameOf secret}" -e ; }
        '';
      in ''
        set -euo pipefail
        mkdir "$out"
+        echo 0 > $out/status

        # Enable selected age plugins
        export PATH="$PATH${concatMapStrings (x: ":${x}/bin") config.rekey.agePlugins}"
@ -43,42 +47,57 @@ with lib; {
        ${concatStringsSep "\n" (map rekeyCommand allSecrets)}
      '';
    };
-      };
    rekeyedSecretPath = secret: "${rekeyedSecrets}/${baseNameOf secret}";
  in
+    mkIf (config.rekey.secrets != {}) {
+      environment.systemPackages = with pkgs; [rage];
+
+      # This polkit rule allows the nixbld users to access the pcsc-lite daemon,
+      # which is necessary to rekey the secrets.
+      security.polkit.extraConfig = mkIf (elem pkgs.age-plugin-yubikey config.rekey.agePlugins) ''
+        polkit.addRule(function(action, subject) {
+          if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") &&
+              subject.user.match(/^nixbld\d+$/))
+            return polkit.Result.YES;
+        });
+      '';
+
+      age.secrets =
        # Produce a rekeyed age secret for each of the secrets defined in our secrets
-      mapAttrs (_: secret:
+        mapAttrs (_:
          mapAttrs (name: value:
            if name == "file"
            then rekeyedSecretPath value
-          else value)
-        secret)
+            else value))
        config.rekey.secrets;

-    identityPaths = mkForce config.rekey.agePubkey;
-  };
-  config.assertions = mkIf (config.rekey.secrets != {}) [
+      assertions = [
        {
          assertion = pathExists config.rekey.hostPubkey;
-      message = "The public key required to rekey secrets for this host doesn't exist. If this is the first deploy, use a mock key until you know the real one.";
+          message = ''
+            The path config.rekey.hostPubkey (${toString config.rekey.hostPubkey}) doesn't exist, but is required to rekey secrets for this host.
+            If this is the first deploy, use a mock key until you know the real one.
+          '';
        }
        {
          assertion = config.rekey.masterIdentityPaths != [];
          message = "rekey.masterIdentityPaths must be set.";
        }
      ];
-  config.warnings = let
+
+      warnings = let
        hasGoodSuffix = x: strings.hasSuffix ".age" x || strings.hasSuffix ".pub" x;
      in
-    mkIf (!all hasGoodSuffix config.rekey.masterIdentityPaths) [
+        optional (toInt (readFile "${rekeyedSecrets}/status") == 1) "Failed to rekey secrets! Run nix log ${rekeyedSecrets}.drv for more information."
+        ++ optional (!all hasGoodSuffix config.rekey.masterIdentityPaths)
        ''
          It seems like at least one of your rekey.masterIdentityPaths contains an
          unencrypted age identity. These files will be copied to the nix store, so
          make sure they don't contain any secret information!

          To silence this warning, encrypt your keys and name them *.pub or *.age.
-      ''
-    ];
+        '';
+    };

  options = {
    rekey.secrets = options.age.secrets;
@ -128,6 +147,3 @@ with lib; {
    };
  };
 }
-#rekey.secrets.my_secret.file = ./secrets/somekey.age;
-#pwdfile = rekey.secrets.mysecret.path;
-
--- a/secrets/pubkeys/ward.pub
+++ b/secrets/pubkeys/ward.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIES9HTyQjzIDPkMP90MV5f1zwearLFPF8KkLpAnEYEfJ
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIES9HTyQjzIDPkMP90MV5f1zwearLFPF8KkLpAnEYEfJ`