sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add format-secrets app to run alejandra on hidden configuration

Browse source
This commit is contained in:
oddlama 2023-03-15 17:03:35 +01:00
parent 8947434a1e
commit 6f8f74cc69
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
7 changed files with 61 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

9
flake.nix
View file

@ -46,8 +46,15 @@
...
} @ inputs:
{
# The identities that are used to rekey agenix secrets and to
# decrypt all repository-wide secrets.
secrets = {
masterIdentities = [./secrets/yk1-nix-rage.pub];
extraEncryptionPubkeys = [./secrets/backup.pub];
content = import ./nix/secrets.nix inputs;
};
hosts = import ./nix/hosts.nix inputs;
secrets = import ./nix/secrets.nix inputs;
colmena = import ./nix/colmena.nix inputs;
overlays = import ./nix/overlay.nix inputs;
homeConfigurations = import ./nix/home-manager.nix inputs;

BIN
hosts/zackbiene/secrets/secrets.nix.age
View file

Binary file not shown.

27
nix/apps.nix
View file

@ -45,4 +45,31 @@ in
set -euo pipefail
${mapAttrsToLines generateHostKey self.nodes}
'');
format-secrets = let
isAbsolutePath = x: substring 0 1 x == "/";
masterIdentityArgs = concatMapStrings (x: ''-i "${x}" '') self.secrets.masterIdentities;
extraEncryptionPubkeys =
concatMapStrings (
x:
if isAbsolutePath x
then ''-R "${x}" ''
else ''-r "${x}" ''
)
self.secrets.extraEncryptionPubkeys;
formatSecret = path: ''
'';
in
mkApp (pkgs.writeShellScript "format-secrets" ''
set -euo pipefail
[[ -d .git ]] && [[ -f flake.nix ]] || { echo "error: Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; }
for f in $(find . -type f -name '*.nix.age'); do
echo "Formatting $f ..."
decrypted=$(${./rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \
|| { echo "error: Failed to decrypt!" >&2; exit 1; }
formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \
|| { echo "error: Failed to format $decrypted!" >&2; exit 1; }
${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \
|| { echo "error: Failed to re-encrypt!" >&2; exit 1; }
done
'');
}

10
nix/colmena.nix
View file

@ -14,7 +14,7 @@ with nixpkgs.lib; let
nixosHosts = filterAttrs (_: x: x.type == "nixos") self.hosts;
generateColmenaNode = hostName: _: {
imports = [
({ config, ... }: {
({config, ...}: {
# By default, set networking.hostName to the hostName
networking.hostName = mkDefault hostName;
# Define global flakes for this system
@ -27,8 +27,8 @@ with nixpkgs.lib; let
# Setup parameters for Secrets
rekey.forceRekeyOnSystem = "x86_64-linux";
rekey.hostPubkey = ../secrets/pubkeys + "/${config.networking.hostName}.pub";
rekey.masterIdentities = [../secrets/yk1-nix-rage.pub];
rekey.extraEncryptionPubkeys = [../secrets/backup.pub];
rekey.masterIdentities = self.secrets.masterIdentities;
rekey.extraEncryptionPubkeys = self.secrets.extraEncryptionPubkeys;
})
(../hosts + "/${hostName}")
home-manager.nixosModules.default
@ -46,12 +46,12 @@ in
nodeNixpkgs = mapAttrs (hostName: {system, ...}: self.pkgs.${system}) nixosHosts;
nodeSpecialArgs =
mapAttrs (hostName: _: {
nodeSecrets = self.secrets.nodes.${hostName};
nodeSecrets = self.secrets.content.nodes.${hostName};
})
nixosHosts;
specialArgs = {
inherit (nixpkgs) lib;
inherit (self) secrets;
secrets = self.secrets.content;
nixos-hardware = nixos-hardware.nixosModules;
#impermanence = impermanence.nixosModules;
};

16
nix/rage-decrypt.sh
View file

@ -2,14 +2,20 @@
set -euo pipefail
print_out_path=false
if [[ "$1" == "--print-out-path" ]]; then
print_out_path=true
shift
fi
file="$1"
[[ "$file" == "/nix/store/"* ]] || { echo "Input must be a store path!"; exit 1; }
shift
identities=("$@")
# Strip .age suffix and store path prefix
# Strip .age suffix, and store path prefix or ./ if applicable
basename="${file%".age"}"
basename="${basename#*"-"}"
[[ "$file" == "/nix/store/"* ]] && basename="${basename#*"-"}"
[[ "$file" == "./"* ]] && basename="${basename#"./"}"
# Calculate a unique content-based identifier (relocations of
# the source file in the nix store should not affect caching)
@ -29,5 +35,5 @@ if [[ ! -e "$out" ]]; then
rage -d "${args[@]}" -o "$out" "$file"
fi
# Print decrypted content
cat "$out"
# Print out path or decrypted content
[[ "$print_out_path" == true ]] && echo "$out" || cat "$out"

4
nix/secrets.nix
View file

@ -17,8 +17,6 @@
...
} @ inputs:
with nixpkgs.lib; let
# The identities that are used to decrypt any repository-wide secrets.
masterIdentities = [../secrets/yk1-nix-rage.pub];
# If the given expression is a bare set, it will be wrapped in a function,
# so that the imported file can always be applied to the inputs, similar to
# how modules can be functions or sets.
@ -30,7 +28,7 @@ with nixpkgs.lib; let
importEncrypted = path:
constSet (
if builtins.pathExists path
then builtins.extraBuiltins.rageImportEncrypted masterIdentities path
then builtins.extraBuiltins.rageImportEncrypted self.secrets.masterIdentities path
else {}
);
in

17
secrets/secrets.nix.age
View file

@ -1,9 +1,10 @@
age-encryption.org/v1
-> X25519 vyK4cXkYqS/xic3L1hVfZOm9F2dy41g0k8NtY0S7o0g
pdm+YdbPD+jg9oRGD1m/bSFwmcI6slqCg8bSSHUgyTg
-> piv-p256 xqSe8Q A7Z8dLqDdsXdeMFUI0yZy7IOH+VovH4bzc2dRkCKQYoE
fa0294BZfM4wYXdF1j5BogNpVdgfhnITHIFubQq8G6M
-> X-grease YRM7Gw8# 0\&Rw
SXlWKCRgatc1AAoprriaOmKPrw
--- ybnfcV0t6H0UUl6Oc5z6EYOuLxpeVqh+TcywwgevaFw
aú§­ŹC ˝‹kz  ´DŹMŢYw˙8ß›ż¬”Ú†Î.ńňúOˇ<ŕq.6Ź±vX( ą­ß
-> X25519 jCfz22p8CDk1U/maaSqUBJh4KsHNvu2MM54IG9bVuFI
ChPScrrrFWgg8sVFucu7u5af+BXGgYczIpoohiYQSow
-> piv-p256 xqSe8Q A64wBcZEPJKnAC9xlBc3gbosqhB9sNN/dFZDQSMcB3Kp
9ksGpeSm8WOELDHLeTrttKA1ynDEwxi+jNRWzxQfxMQ
-> DiE~<-grease
p5tg4SCVvfjsWqai9U2ABMsTwBkIa2waWtGdK4/ulHcCHR8CMvYKS9bjjsw/Z0ZH
pwDzZGosmU5vRZxy/HM
--- U08NaDLEjVxdVr4TfeFK07h6ZcaZf1XN79X6mQyLmnk
ťĐňhMˇ�ú*$\¸ł1ń?şćg§‰á€Ŕ¨ěs;kÉ»‡ł"ĂÄwß}ő ˙ąČŮ>