nixos/modules/security/systemd-creds.nix

   1 { pkgs, lib, config, ... }:
   2 with builtins;
   3 with lib;
   4 let cfg = config.security.systemd-creds; in
   5 {
   6   options.security.systemd-creds = {
   7     target = mkOption {
   8       type = types.str;
   9       description = ''
  10         Destination address of the target host able to encrypt the credentials.
  11         Used by the default {option}`security.systemd-creds.shell`.
  12       '';
  13       default = "root@${config.networking.hostName}.${config.networking.domain}";
  14       defaultText = mdLiteral "root@\${config.networking.hostName}.\${config.networking.domain}";
  15       example = mdLiteral "''${config.networking.hostName}.wg";
  16     };
  17     decrypt = mkOption {
  18       type = with types; listOf str;
  19       description = mdDoc ''
  20         Command to get the cleartext of a credential.
  21         `credBase` is derived from the path of the credential in `LoadCredentialEncrypted=`,
  22         by removing the `storeDir` prefix and then one directory level.
  23       '';
  24       apply = concatStringsSep " ";
  25       default = [ "gpg" "--batch" "--decrypt" "\${credBase%.cred}.gpg" ];
  26       example = [ "pass" "\${credBase%.cred}" ];
  27     };
  28     shell = mkOption {
  29       type = with types; listOf str;
  30       description = mdDoc ''
  31         Command to get a shell on the target host.
  32       '';
  33       apply = concatStringsSep " ";
  34       default = [
  35         "ssh"
  36         "-o"
  37         "StrictHostKeyChecking=yes"
  38         "-o"
  39         "ControlMaster=auto"
  40         "-o"
  41         "ControlPersist=16s"
  42         "\"\${SYSTEMD_CREDS_TARGET:-${cfg.target}}\""
  43       ];
  44       defaultText = mdLiteral ''
  45         ssh -o StrictHostKeyChecking=yes \
  46             -o ControlMaster=auto \
  47             -o ControlPersist=16s \
  48             \"''${SYSTEMD_CREDS_TARGET:-root@''${config.security.systemd-creds.target}}\"
  49       '';
  50       example = [ "sudo" ];
  51     };
  52     encrypt = mkOption {
  53       type = with types; listOf str;
  54       description = mdDoc ''
  55         Command to run `systemd-creds encrypt` on the target host.
  56
  57         ::: {.warning}
  58         Beware that the files `/etc/machine-id`
  59         and `/var/lib/systemd/credential.secret` on the target host,
  60         are both used to encrypt and decrypt when using the `host` key mechanism.
  61         Meaning that reinstalling the system on a new drive
  62         without restoring those two files
  63         will require to reencrypt the credentials.
  64         :::
  65       '';
  66       apply = concatStringsSep " ";
  67       default = [ "systemd-creds" "encrypt" "--name" "\"$credID\"" "--with-key=auto" ];
  68       example = [ "sudo" "systemd-creds" "encrypt" "--with-key=host" ];
  69     };
  70     install = mkOption {
  71       type = with types; listOf str;
  72       apply = concatStringsSep " ";
  73       description = mdDoc ''
  74         Command to install the encrypted credential on the orchestrating host.
  75       '';
  76       default = [ "install" "-D" "-m" "640" "/dev/stdin" "\"$credBase\"" ];
  77     };
  78     script = mkOption {
  79       type = types.lines;
  80       apply = pkgs.writeShellScriptBin "systemd-creds-encrypt-${replaceStrings ["@"] ["-"] cfg.target}";
  81       description = mdDoc ''
  82         Encrypt credentials referenced in the `LoadCredentialEncrypted=`
  83         of enabled systemd services, by running `systemd-creds` on the {option}`security.systemd-creds.target` host.
  84         Only *non-existing* credential files are considered.
  85
  86         Example of use:
  87         ```console
  88         $ sudo wg genkey | gpg --encrypt --sign --recipient @$USER --output wireguard/wg-intra/privateKey.gpg
  89         $ git add wireguard/wg-intra/privateKey.gpg
  90         ```
  91
  92         ```nix
  93         systemd.services."wireguard-wg-intra".serviceConfig.LoadCredentialEncrypted =
  94           [ "privateKey:''${inputs.self}/wireguard/wg-intra/privateKey.cred" ];
  95         ```
  96
  97         ```console
  98         $ nix run .#nixosConfigurations.''${hostName}.config.security.systemd-creds.script
  99         $ git add wireguard/wg-intra/privateKey.cred
 100         ```
 101       '';
 102     };
 103   };
 104   config = {
 105     security.systemd-creds.script = ''
 106       shopt -s extglob globstar nullglob
 107       set -o pipefail
 108       set -eux
 109     '' + concatMapStringsSep "\n"
 110       (service:
 111         concatMapStringsSep "\n"
 112           (credential:
 113             let
 114               cred = splitString ":" credential;
 115               credID = elemAt cred 0;
 116               credPath = elemAt cred 1;
 117             in
 118             ''
 119               credID=${escapeShellArg credID}
 120               credPath=${escapeShellArg credPath}
 121               credBase=''${credPath#${storeDir}/*/}
 122               if test ! -e "$credBase"; then
 123                 { ${cfg.decrypt}; } |
 124                 { ${cfg.shell} -- ${cfg.encrypt} - -; } |
 125                 { ${cfg.install}; }
 126               fi
 127             ''
 128           )
 129           service.serviceConfig.LoadCredentialEncrypted)
 130       (attrValues
 131         (filterAttrs
 132           (_serviceName: service:
 133             service.enable &&
 134               hasAttr "LoadCredentialEncrypted" service.serviceConfig
 135           )
 136           config.systemd.services
 137         )
 138       );
 139   };
 140 }