mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 14:50:40 +02:00
Code Activity
oddlama_nix-config/config/secrets.nix
oddlama 7ccd7856ee
chore: format everything
2024-11-26 13:34:55 +01:00

80 lines
2.4 KiB
Nix
Raw Permalink Blame History

{
config,
inputs,
lib,
...
}:
{
# Define local repo secrets
repo.secretFiles =
let
local = config.node.secretsDir + "/local.nix.age";
in
lib.optionalAttrs (lib.pathExists local) { inherit local; };
# Setup secret rekeying parameters
age.rekey = {
inherit (inputs.self.secretsConfig)
masterIdentities
extraEncryptionPubkeys
;
hostPubkey = config.node.secretsDir + "/host.pub";
storageMode = "local";
generatedSecretsDir = inputs.self.outPath + "/secrets/generated/${config.node.name}";
localStorageDir = inputs.self.outPath + "/secrets/rekeyed/${config.node.name}";
};
age.generators.basic-auth =
{
pkgs,
lib,
decrypt,
deps,
...
}:
lib.flip lib.concatMapStrings deps (
{
name,
host,
file,
}:
''
echo " -> Aggregating "${lib.escapeShellArg host}":"${lib.escapeShellArg name}"" >&2
${decrypt} ${lib.escapeShellArg file} \
| ${pkgs.apacheHttpd}/bin/htpasswd -niBC 12 ${lib.escapeShellArg host}"+"${lib.escapeShellArg name} \
|| die "Failure while aggregating basic auth hashes"
''
);
age.generators.argon2id =
{
pkgs,
lib,
decrypt,
deps,
...
}:
let
dep = builtins.head deps;
in
''
echo " -> Deriving argon2id hash from "${lib.escapeShellArg dep.host}":"${lib.escapeShellArg dep.name}"" >&2
${decrypt} ${lib.escapeShellArg dep.file} \
| tr -d '\n' \
| ${pkgs.libargon2}/bin/argon2 "$(${pkgs.openssl}/bin/openssl rand -base64 16)" -id -e \
|| die "Failure while generating argon2id hash"
'';
# Just before switching, remove the agenix directory if it exists.
# This can happen when a secret is used in the initrd because it will
# then be copied to the initramfs under the same path. This materializes
# /run/agenix as a directory which will cause issues when the actual system tries
# to create a link called /run/agenix. Agenix should probably fail in this case,
# but doesn't and instead puts the generation link into the existing directory.
# TODO See https://github.com/ryantm/agenix/pull/187.
system.activationScripts = lib.mkIf (config.age.secrets != { }) {
removeAgenixLink.text = "[[ ! -L /run/agenix ]] && [[ -d /run/agenix ]] && rm -rf /run/agenix";
agenixNewGeneration.deps = [ "removeAgenixLink" ];
};
}
View git blame Copy permalink