]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/security.nix
nix: add a GC root for each machine
[sourcephile-nix.git] / machines / mermet / security.nix
1 { inputs, pkgs, lib, config, machineName, ... }:
2 let
3 inherit (config.security) gnupg;
4 rootKey = "root/key";
5 initrdKey = "initrd/ssh.key";
6 keygrip = "89F52A879E0019A966503AFFDE72EEA84CDFA3A7";
7 in
8 {
9 security.gnupg.store = inputs.pass + "/machines/${machineName}";
10 environment.memoryAllocator.provider = "libc";
11 services.openssh.extraConfig = ''
12 StreamLocalBindUnlink yes
13 '';
14 /*
15 installer.ssh-nixos = {
16 PATH = [pkgs.gnupg pkgs.openssh];
17 script = lib.mkMerge [
18 (lib.mkBefore ''
19 # Send the SSH key of the initrd
20 gpg --decrypt '${gnupg.store}/${initrdKey}.gpg' |
21 ssh '${config.installer.ssh-nixos.target}' \
22 install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
23 '')
24 (lib.mkBefore ''
25 ssh '${config.installer.ssh-nixos.target}' \
26 "gpg-connect-agent --no-autostart --homedir /var/lib/gnupg 'keyinfo --list' /bye 2>&1" |
27 grep -qx -e "gpg-connect-agent: no gpg-agent running in this session" \
28 -e "S KEYINFO ${keygrip} . . . 1 .*" || {
29 # Send the rootKey
30 gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
31 gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
32 ssh '${config.installer.ssh-nixos.target}' \
33 gpg --no-autostart --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import
34
35 # Send the rootKey's passphrase
36 gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
37 ssh '${config.installer.ssh-nixos.target}' \
38 gpg-preset-passphrase --homedir /var/lib/gnupg --preset ${keygrip}
39 }
40 '')
41 ];
42 };
43 */
44 boot.initrd.network.ssh.hostKeys = [ "/root/${initrdKey}" ];
45 }