simplify secrets file format

Each secret file to be deployed is now backed by one local file. This simplifies 'setup-secrets' and the secret definitions. Also, with the old format it was not possible to add new secrets to secrets.nix in a simple way. Old secrets are automatically converted to the new format when running nix-shell. Using the new option 'nix-bitcoin.secrets', secrets are now directly defined by the services that use them.
2020-01-12 20:52:38 +01:00 · 2020-01-12 20:52:38 +01:00 · b1e13e9415
commit b1e13e9415
parent 314272a228
15 changed files with 151 additions and 152 deletions
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -0,0 +1,93 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.nix-bitcoin;
+  secretsDir = "/secrets/"; # TODO: make this an option
+
+  setupSecrets = concatStrings (mapAttrsToList (n: v: ''
+    setupSecret ${n} ${v.user} ${v.group} ${v.permissions} }
+  '') cfg.secrets);
+in
+{
+  options.nix-bitcoin = {
+    secrets = mkOption {
+      default = {};
+      type = with types; attrsOf (submodule (
+        { config, ... }: {
+          options = {
+            user = mkOption {
+              type = str;
+              default = "root";
+            };
+            group = mkOption {
+              type = str;
+              default = config.user;
+            };
+            permissions = mkOption {
+              type = str;
+              default = "0440";
+            };
+          };
+        }
+      ));
+    };
+
+    setup-secrets = mkEnableOption "Set permissions for secrets generated by 'generate-secrets.sh'";
+  };
+
+  config = mkIf cfg.setup-secrets {
+    systemd.targets.nix-bitcoin-secrets = {
+      requires = [ "setup-secrets.service" ];
+      after = [ "setup-secrets.service" ];
+    };
+
+    # Operation of this service:
+    #  - Create missing secrets that are composed of attrs from secrets.nix
+    #  - Set owner and permissions for all used secrets
+    #  - Make all other secrets accessible to root only
+    # For all steps make sure that no secrets are copied to the nix store.
+    #
+    systemd.services.setup-secrets = {
+      serviceConfig = {
+         Type = "oneshot";
+         RemainAfterExit = true;
+      } // config.nix-bitcoin-services.defaultHardening;
+      script = ''
+        setupSecret() {
+            file="$1"
+            user="$2"
+            group="$3"
+            permissions="$4"
+            if [[ ! -e $file ]]; then
+              echo "Error: Secret file '$file' is missing"
+              exit 1
+            fi
+            chown "$user:$group" "$file"
+            chmod "$permissions" "$file"
+            processedFiles+=("$file")
+        }
+
+        dir="${secretsDir}"
+        if [[ ! -e $dir ]]; then
+          echo "Error: Secrets dir '$dir' is missing"
+          exit 1
+        fi
+        chown root: "$dir"
+        cd "$dir"
+
+        processedFiles=()
+        ${setupSecrets}
+
+        # Make all other files accessible to root only
+        unprocessedFiles=$(comm -23 <(printf '%s\n' *) <(printf '%s\n' "''${processedFiles[@]}" | sort))
+        IFS=$'\n'
+        chown root: $unprocessedFiles
+        chmod 0440 $unprocessedFiles
+
+        # Now make the secrets dir accessible to other users
+        chmod 0751 "$dir"
+      '';
+    };
+  };
+}