nix-bitcoin/modules/secrets/secrets.nix

{ config, pkgs, lib, ... }:

with lib;
let
  cfg = config.nix-bitcoin;
in
{
  options.nix-bitcoin = {
    secretsDir = mkOption {
      type = types.path;
      default = "/etc/nix-bitcoin-secrets";
      description = "Directory to store secrets";
    };

    setupSecrets = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Set permissions for existing secrets in `nix-bitcoin.secretsDir`.
      '';
    };

    generateSecrets = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Automatically generate all required secrets.
        Make sure to create a backup of the generated secrets.
      '';
    };

    # Currently, this is used only by ../deployment/nixops.nix
    deployment.secretsDir = mkOption {
      type = types.path;
      description = ''
        Directory of local secrets that are transferred to the nix-bitcoin node on deployment
      '';
    };

    secrets = mkOption {
      default = {};
      type = with types; attrsOf (submodule (
        { config, ... }: {
          options = {
            user = mkOption {
              type = str;
              default = "root";
            };
            group = mkOption {
              type = str;
              default = config.user;
            };
            permissions = mkOption {
              type = str;
              default = "0440";
            };
          };
        }
      ));
    };
  };

  config =  {
    systemd.targets.nix-bitcoin-secrets = {};

    nix-bitcoin.setupSecrets = mkIf cfg.generateSecrets true;

    # Operation of this service:
    #  - Set owner and permissions for all used secrets
    #  - Make all other secrets accessible to root only
    # For all steps make sure that no secrets are copied to the nix store.
    #
    systemd.services.setup-secrets = mkIf cfg.setupSecrets {
      requiredBy = [ "nix-bitcoin-secrets.target" ];
      before = [ "nix-bitcoin-secrets.target" ];
      serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = true;
      };
      script = ''
        ${optionalString cfg.generateSecrets ''
          mkdir -p "${cfg.secretsDir}"
          cd "${cfg.secretsDir}"
          chown root: .
          chmod 0700 .
          ${cfg.pkgs.generate-secrets}
        ''}

        setupSecret() {
            file="$1"
            user="$2"
            group="$3"
            permissions="$4"
            if [[ ! -e $file ]]; then
              echo "Error: Secret file '$file' is missing"
              exit 1
            fi
            chown "$user:$group" "$file"
            chmod "$permissions" "$file"
            processedFiles+=("$file")
        }

        dir="${cfg.secretsDir}"
        if [[ ! -e $dir ]]; then
          echo "Error: Secrets dir '$dir' is missing"
          exit 1
        fi
        chown root: "$dir"
        cd "$dir"

        processedFiles=()
        ${
          concatStrings (mapAttrsToList (n: v: ''
            setupSecret ${n} ${v.user} ${v.group} ${v.permissions} }
          '') cfg.secrets)
        }

        # Make all other files accessible to root only
        unprocessedFiles=$(comm -23 <(printf '%s\n' *) <(printf '%s\n' "''${processedFiles[@]}" | sort))
        IFS=$'\n'
        chown root: $unprocessedFiles
        chmod 0440 $unprocessedFiles

        # Now make the secrets dir accessible to other users
        chmod 0751 "$dir"
      '';
    };
  };
}
add setup-secrets.service 2019-11-27 05:04:27 -08:00			`{ config, pkgs, lib, ... }:`

			`with lib;`
			`let`
simplify secrets file format Each secret file to be deployed is now backed by one local file. This simplifies 'setup-secrets' and the secret definitions. Also, with the old format it was not possible to add new secrets to secrets.nix in a simple way. Old secrets are automatically converted to the new format when running nix-shell. Using the new option 'nix-bitcoin.secrets', secrets are now directly defined by the services that use them. 2020-01-12 11:52:38 -08:00			`cfg = config.nix-bitcoin;`
add setup-secrets.service 2019-11-27 05:04:27 -08:00			`in`
			`{`
simplify secrets file format Each secret file to be deployed is now backed by one local file. This simplifies 'setup-secrets' and the secret definitions. Also, with the old format it was not possible to add new secrets to secrets.nix in a simple way. Old secrets are automatically converted to the new format when running nix-shell. Using the new option 'nix-bitcoin.secrets', secrets are now directly defined by the services that use them. 2020-01-12 11:52:38 -08:00			`options.nix-bitcoin = {`
make secrets dir location configurable Users of the nix-bitcoin modules shouldn't be forced to add an extra dir under root. The secrets location is unchanged for the default node config. 2020-01-12 11:52:39 -08:00			`secretsDir = mkOption {`
			`type = types.path;`
			`default = "/etc/nix-bitcoin-secrets";`
			`description = "Directory to store secrets";`
			`};`

secrets: add option 'generateSecrets' Move this feature from a module preset to a regular option, so that it's easily discoverable and accessible. Simplify the implementation of `generateSecrets` by adding it to the existing `setup-secrets` service script. Also rename option setup-secrets -> setupSecrets. 2021-03-10 05:08:34 -08:00			`setupSecrets = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			Set permissions for existing secrets in `nix-bitcoin.secretsDir`.
			`'';`
			`};`

			`generateSecrets = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Automatically generate all required secrets.`
			`Make sure to create a backup of the generated secrets.`
			`'';`
			`};`

			`# Currently, this is used only by ../deployment/nixops.nix`
extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' 2020-02-26 08:11:19 -08:00			`deployment.secretsDir = mkOption {`
			`type = types.path;`
			`description = ''`
Fix typos 2020-08-04 06:32:06 -07:00			`Directory of local secrets that are transferred to the nix-bitcoin node on deployment`
extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' 2020-02-26 08:11:19 -08:00			`'';`
			`};`

simplify secrets file format Each secret file to be deployed is now backed by one local file. This simplifies 'setup-secrets' and the secret definitions. Also, with the old format it was not possible to add new secrets to secrets.nix in a simple way. Old secrets are automatically converted to the new format when running nix-shell. Using the new option 'nix-bitcoin.secrets', secrets are now directly defined by the services that use them. 2020-01-12 11:52:38 -08:00			`secrets = mkOption {`
			`default = {};`
			`type = with types; attrsOf (submodule (`
			`{ config, ... }: {`
			`options = {`
			`user = mkOption {`
			`type = str;`
			`default = "root";`
			`};`
			`group = mkOption {`
			`type = str;`
			`default = config.user;`
			`};`
			`permissions = mkOption {`
			`type = str;`
			`default = "0440";`
			`};`
			`};`
			`}`
			`));`
			`};`
			`};`
add setup-secrets.service 2019-11-27 05:04:27 -08:00
secrets: add option 'generateSecrets' Move this feature from a module preset to a regular option, so that it's easily discoverable and accessible. Simplify the implementation of `generateSecrets` by adding it to the existing `setup-secrets` service script. Also rename option setup-secrets -> setupSecrets. 2021-03-10 05:08:34 -08:00			`config = {`
			`systemd.targets.nix-bitcoin-secrets = {};`

			`nix-bitcoin.setupSecrets = mkIf cfg.generateSecrets true;`
add setup-secrets.service 2019-11-27 05:04:27 -08:00
			`# Operation of this service:`
			`# - Set owner and permissions for all used secrets`
			`# - Make all other secrets accessible to root only`
simplify secrets file format Each secret file to be deployed is now backed by one local file. This simplifies 'setup-secrets' and the secret definitions. Also, with the old format it was not possible to add new secrets to secrets.nix in a simple way. Old secrets are automatically converted to the new format when running nix-shell. Using the new option 'nix-bitcoin.secrets', secrets are now directly defined by the services that use them. 2020-01-12 11:52:38 -08:00			`# For all steps make sure that no secrets are copied to the nix store.`
add setup-secrets.service 2019-11-27 05:04:27 -08:00			`#`
secrets: add option 'generateSecrets' Move this feature from a module preset to a regular option, so that it's easily discoverable and accessible. Simplify the implementation of `generateSecrets` by adding it to the existing `setup-secrets` service script. Also rename option setup-secrets -> setupSecrets. 2021-03-10 05:08:34 -08:00			`systemd.services.setup-secrets = mkIf cfg.setupSecrets {`
			`requiredBy = [ "nix-bitcoin-secrets.target" ];`
			`before = [ "nix-bitcoin-secrets.target" ];`
add setup-secrets.service 2019-11-27 05:04:27 -08:00			`serviceConfig = {`
			`Type = "oneshot";`
			`RemainAfterExit = true;`
{generate,setup}-secrets: remove process hardening ProtectSystem=full disables writing to /etc which is the default secrets location. Besides that, hardening is pointless for {generate,setup}-secrets which don't read external input and are fully under our control. 2020-02-26 11:37:47 -08:00			`};`
add setup-secrets.service 2019-11-27 05:04:27 -08:00			`script = ''`
secrets: add option 'generateSecrets' Move this feature from a module preset to a regular option, so that it's easily discoverable and accessible. Simplify the implementation of `generateSecrets` by adding it to the existing `setup-secrets` service script. Also rename option setup-secrets -> setupSecrets. 2021-03-10 05:08:34 -08:00			`${optionalString cfg.generateSecrets ''`
			`mkdir -p "${cfg.secretsDir}"`
			`cd "${cfg.secretsDir}"`
			`chown root: .`
			`chmod 0700 .`
			`${cfg.pkgs.generate-secrets}`
			`''}`

add setup-secrets.service 2019-11-27 05:04:27 -08:00			`setupSecret() {`
			`file="$1"`
			`user="$2"`
			`group="$3"`
			`permissions="$4"`
			`if [[ ! -e $file ]]; then`
simplify secrets file format Each secret file to be deployed is now backed by one local file. This simplifies 'setup-secrets' and the secret definitions. Also, with the old format it was not possible to add new secrets to secrets.nix in a simple way. Old secrets are automatically converted to the new format when running nix-shell. Using the new option 'nix-bitcoin.secrets', secrets are now directly defined by the services that use them. 2020-01-12 11:52:38 -08:00			`echo "Error: Secret file '$file' is missing"`
			`exit 1`
add setup-secrets.service 2019-11-27 05:04:27 -08:00			`fi`
			`chown "$user:$group" "$file"`
			`chmod "$permissions" "$file"`
			`processedFiles+=("$file")`
			`}`

make secrets dir location configurable Users of the nix-bitcoin modules shouldn't be forced to add an extra dir under root. The secrets location is unchanged for the default node config. 2020-01-12 11:52:39 -08:00			`dir="${cfg.secretsDir}"`
add setup-secrets.service 2019-11-27 05:04:27 -08:00			`if [[ ! -e $dir ]]; then`
			`echo "Error: Secrets dir '$dir' is missing"`
			`exit 1`
			`fi`
			`chown root: "$dir"`
			`cd "$dir"`

			`processedFiles=()`
secrets: add option 'generateSecrets' Move this feature from a module preset to a regular option, so that it's easily discoverable and accessible. Simplify the implementation of `generateSecrets` by adding it to the existing `setup-secrets` service script. Also rename option setup-secrets -> setupSecrets. 2021-03-10 05:08:34 -08:00			`${`
			`concatStrings (mapAttrsToList (n: v: ''`
			`setupSecret ${n} ${v.user} ${v.group} ${v.permissions} }`
			`'') cfg.secrets)`
			`}`
add setup-secrets.service 2019-11-27 05:04:27 -08:00
			`# Make all other files accessible to root only`
			`unprocessedFiles=$(comm -23 <(printf '%s\n' *) <(printf '%s\n' "''${processedFiles[@]}" \| sort))`
			`IFS=$'\n'`
			`chown root: $unprocessedFiles`
			`chmod 0440 $unprocessedFiles`

			`# Now make the secrets dir accessible to other users`
			`chmod 0751 "$dir"`
			`'';`
			`};`
			`};`
			`}`