add setup-secrets.service
This commit is contained in:
parent
437b268433
commit
e3b47ce18a
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
secrets/
|
/secrets/
|
||||||
|
@ -23,6 +23,7 @@ in {
|
|||||||
./recurring-donations.nix
|
./recurring-donations.nix
|
||||||
./hardware-wallets.nix
|
./hardware-wallets.nix
|
||||||
./lnd.nix
|
./lnd.nix
|
||||||
|
./secrets/setup-secrets.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
disabledModules = [ "services/networking/bitcoind.nix" ];
|
disabledModules = [ "services/networking/bitcoind.nix" ];
|
||||||
|
94
modules/secrets/setup-secrets.nix
Normal file
94
modules/secrets/setup-secrets.nix
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
secretsDir = "/secrets/"; # TODO: make this an option
|
||||||
|
|
||||||
|
secrets = (import ./make-secrets.nix { inherit config; }).activeSecrets;
|
||||||
|
|
||||||
|
setupSecrets = concatStrings (mapAttrsToList (n: v: ''
|
||||||
|
setupSecret ${n} ${v.user} ${v.group} ${v.permissions} ${optionalString (v.keyFile != null) (baseNameOf v.keyFile)}
|
||||||
|
'') secrets);
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.nix-bitcoin.setup-secrets = mkEnableOption "Set permissions for secrets generated by 'generate-secrets.sh'";
|
||||||
|
|
||||||
|
config = mkIf config.nix-bitcoin.setup-secrets {
|
||||||
|
systemd.targets.nix-bitcoin-secrets = {
|
||||||
|
requires = [ "setup-secrets.service" ];
|
||||||
|
after = [ "setup-secrets.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Operation of this service:
|
||||||
|
# - Create missing secrets that are composed of attrs from secrets.nix
|
||||||
|
# - Set owner and permissions for all used secrets
|
||||||
|
# - Make all other secrets accessible to root only
|
||||||
|
# For all steps make sure that no secrets are copied to the nix-store.
|
||||||
|
#
|
||||||
|
systemd.services.setup-secrets = {
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
} // config.nix-bitcoin-services.defaultHardening;
|
||||||
|
script = ''
|
||||||
|
setupSecret() {
|
||||||
|
file="$1"
|
||||||
|
user="$2"
|
||||||
|
group="$3"
|
||||||
|
permissions="$4"
|
||||||
|
srcFile="$5"
|
||||||
|
if [[ ! -e $file ]]; then
|
||||||
|
if [[ $srcFile ]]; then
|
||||||
|
if [[ ! -e $srcFile ]]; then
|
||||||
|
echo "Error: Secret source file '$srcFile' is missing"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
mv "$srcFile" "$file"
|
||||||
|
else
|
||||||
|
createFile "$file"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
chown "$user:$group" "$file"
|
||||||
|
chmod "$permissions" "$file"
|
||||||
|
processedFiles+=("$file")
|
||||||
|
}
|
||||||
|
|
||||||
|
createFile() {
|
||||||
|
file="$1"
|
||||||
|
# 'nix eval' requires filesystem or daemon access to a store even if nothing is built.
|
||||||
|
# Use a private store so that 'nix eval' always succeeds regardless of the
|
||||||
|
# execution environment, like a container.
|
||||||
|
|
||||||
|
# This tmp dir is automatically removed by systemd via PrivateTmp
|
||||||
|
[[ $store ]] || store="$(mktemp -d)"
|
||||||
|
secretsFile="$(realpath secrets.nix)" \
|
||||||
|
${pkgs.nix}/bin/nix eval --raw --store "$store" "(
|
||||||
|
(import ${./make-secrets.nix} {
|
||||||
|
secretsFile = builtins.getEnv \"secretsFile\";
|
||||||
|
}).allSecrets.$file.text
|
||||||
|
)" > "$file"
|
||||||
|
}
|
||||||
|
|
||||||
|
dir="${secretsDir}"
|
||||||
|
if [[ ! -e $dir ]]; then
|
||||||
|
echo "Error: Secrets dir '$dir' is missing"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
chown root: "$dir"
|
||||||
|
cd "$dir"
|
||||||
|
|
||||||
|
processedFiles=()
|
||||||
|
${setupSecrets}
|
||||||
|
|
||||||
|
# Make all other files accessible to root only
|
||||||
|
unprocessedFiles=$(comm -23 <(printf '%s\n' *) <(printf '%s\n' "''${processedFiles[@]}" | sort))
|
||||||
|
IFS=$'\n'
|
||||||
|
chown root: $unprocessedFiles
|
||||||
|
chmod 0440 $unprocessedFiles
|
||||||
|
|
||||||
|
# Now make the secrets dir accessible to other users
|
||||||
|
chmod 0751 "$dir"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user