feat: implement repository-wide secrets

flake.nix

@@ -47,6 +47,7 @@
   } @ inputs:
     {
       hosts = import ./nix/hosts.nix inputs;
+      secrets = import ./nix/secrets.nix inputs;
       colmena = import ./nix/colmena.nix inputs;
       overlays = import ./nix/overlay.nix inputs;
       homeConfigurations = import ./nix/home-manager.nix inputs;

hosts/zackbiene/default.nix

@@ -20,6 +20,7 @@
     ./mosquitto.nix
     ./zigbee2mqtt.nix
     ./esphome.nix
+    ./nginx.nix
   ];
 
   boot.loader.grub.enable = false;

hosts/zackbiene/nginx.nix

@@ -0,0 +1,43 @@
+{
+  lib,
+  config,
+  nodeSecrets,
+  ...
+}: {
+  #security.acme.acceptTerms = true;
+  #security.acme.defaults.email = "admin+acme@example.com";
+  services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+    ## SSL config
+    #ssl_protocols TLSv1.2 TLSv1.3;
+    #ssl_dhparam /etc/nginx/dhparam.pem;
+    #ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+    #ssl_ecdh_curve secp384r1;
+    #ssl_session_timeout 10m;
+    #ssl_session_cache shared:SSL:10m;
+    #ssl_session_tickets off;
+    #
+    ## OCSP stapling
+    #ssl_stapling on;
+    #ssl_stapling_verify on;
+
+    virtualHosts = {
+      "${nodeSecrets.zigbee2mqtt.domain}" = {
+        #forceSSL = true;
+        #enableACME = true;
+        locations."/" = {
+          root = "/var/www";
+        };
+      };
+    };
+  };
+}

hosts/zackbiene/secrets/secrets.nix.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 i6aU9NyNgN17pez4P33oV7d/HNDirMTDIDvZQiWyD0U
+3TgVPXyYypC+b7c17ZoV1ZbASpqzgskJ0OUVtBgxhFk
+-> piv-p256 xqSe8Q A3kpyhwhqEsSqoVD7SB8VK5dU0ZiOrsOdloF+iviN/mq
+W315d5mn13I4JWpsut801LKgGieKF8NIuJ6TeF4wCtI
+-> Vzkv-grease u
+ScmUF1PthzjmA8USzPlx5s5zcTDMGb2zcniHiOHz/ax4cTDKtnDgr8hI6r/6cKXs
+5EkFcJHCI4nNFSCK8WHIIaGDpWWB6YrkkicVQU9K7QRa57xhVniotpH1rOnbEcFN
+j5M
+--- 4rSnr2uChIZoKOe3DDWFK/3JUUPAst1LDOulv1WN1Ek
+þÊýÔ´‹âW…b^zËrFç<Zh®šp	ʘëöѬzf# & ëÔφÖ\ÑlÝDQÅwé9º#¢ÕS¢ü0ÜF¢A’/N
ãŽ%Ûßxÿ�™¸uÄl„

modules/core/default.nix

@@ -77,12 +77,6 @@ in {
 
   users.mutableUsers = false;
 
-  # Setup to use Secrets
-  rekey.forceRekeyOnSystem = "x86_64-linux";
-  rekey.hostPubkey = ../../secrets/pubkeys + "/${config.networking.hostName}.pub";
-  rekey.masterIdentities = [../../secrets/yk1-nix-rage.pub];
-  rekey.extraEncryptionPubkeys = [../../secrets/backup.pub];
-
   home-manager = {
     useGlobalPkgs = true;
     useUserPackages = true;

modules/core/nix.nix

@@ -1,4 +1,4 @@
-{
+{pkgs, ...}: {
   nix = {
     settings = {
       auto-optimise-store = true;
@@ -23,6 +23,8 @@
       builders-use-substitutes = true
       experimental-features = nix-command flakes recursive-nix
       flake-registry = /etc/nix/registry.json
+      plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
+      extra-builtins-file = ${../../nix/extra-builtins.nix}
     '';
     optimise.automatic = true;
     gc.automatic = true;

nix/colmena.nix

@@ -24,6 +24,11 @@ with nixpkgs.lib; let
           pkgs.flake = nixpkgs;
           templates.flake = templates;
         };
+        # Setup parameters for Secrets
+        rekey.forceRekeyOnSystem = "x86_64-linux";
+        rekey.hostPubkey = ../secrets/pubkeys + "/${config.networking.hostName}.pub";
+        rekey.masterIdentities = [../secrets/yk1-nix-rage.pub];
+        rekey.extraEncryptionPubkeys = [../secrets/backup.pub];
       }
       (../hosts + "/${hostName}")
       home-manager.nixosModules.default
@@ -39,9 +44,14 @@ in
       # Just a required dummy for colmena, overwritten on a per-node basis by nodeNixpkgs below.
       nixpkgs = self.pkgs.x86_64-linux;
       nodeNixpkgs = mapAttrs (hostName: {system, ...}: self.pkgs.${system}) nixosHosts;
-      #nodeSpecialArgs = mapAttrs (hostName: { system, ... }: {}) nixosHosts;
+      nodeSpecialArgs =
+        mapAttrs (hostName: _: {
+          nodeSecrets = self.secrets.nodes.${hostName};
+        })
+        nixosHosts;
       specialArgs = {
         inherit (nixpkgs) lib;
+        inherit (self) secrets;
         nixos-hardware = nixos-hardware.nixosModules;
         #impermanence = impermanence.nixosModules;
       };

nix/extra-builtins.nix

@@ -0,0 +1,29 @@
+# This file is intended to be used together with pkgs.nix-plugins,
+# to provide rage decryption as an additional safe builtin.
+#
+# Make sure that nix-plugins is installed by adding the following
+# statement to your configuration.nix:
+#
+# ```nix
+# {
+#   nix.extraOptions = ''
+#     plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
+#     # Please adjust path accordingly, or leave this out and alternativaly
+#     # pass `--option extra-builtins-file ./extra-builtins.nix` to each invocation
+#     extra-builtins-file = ./extra-builtins.nix
+#   '';
+# }
+# ```
+{exec, ...}: let
+  assertMsg = pred: msg: pred || builtins.throw msg;
+  hasSuffix = suffix: content: let
+    lenContent = builtins.stringLength content;
+    lenSuffix = builtins.stringLength suffix;
+  in
+    lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix;
+in {
+  rageImportDecrypt = identities: nixFile:
+    assert assertMsg (builtins.isPath nixFile) "The file to decrypt must be given as a path to prevent impurity.";
+    assert assertMsg (hasSuffix ".nix.age" nixFile) "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
+      exec (["rage" "-d"] ++ (builtins.concatMap (x: ["-i" x]) identities) ++ [nixFile]);
+}

nix/secrets.nix

@@ -0,0 +1,31 @@
+# This file manages access to repository-secrets. Anything that is technically
+# not a secret on your hosts, but something you want to keep secret from the public.
+# Anything you don't want people to see on GitHub that isn't a password or encrypted
+# using agenix.
+#
+# All of these secrets may (and probably will be) put into the world-readable nix-store
+# on the build and target hosts. You'll most likely want to store personally identifiable
+# information here, such as:
+#   - MAC Addreses
+#   - Static IP addresses
+#   - Your full name (when configuring e.g. users)
+#   - Your postal address (when configuring e.g. home-assistant)
+#   - ...
+{
+  self,
+  nixpkgs,
+  ...
+} @ inputs:
+with nixpkgs.lib; let
+  mergeArray = f: unique (concatLists (mapAttrsToList (_: f) self.nodes));
+  mergedMasterIdentities = mergeArray (x: x.config.rekey.masterIdentities or []);
+  # "Imports" an encrypted .nix.age file
+  importEncrypted = path:
+    if builtins.pathExists path
+    then builtins.extraBuiltins.rageImportDecrypt mergedMasterIdentities path
+    else _: {};
+in
+  (importEncrypted ../secrets/secrets.nix.age inputs)
+  // {
+    nodes = mapAttrs (hostName: _: importEncrypted ../hosts/${hostName}/secrets/secrets.nix.age inputs) self.nodes;
+  }