1 { pkgs, lib, config, ... }:
3 inherit (builtins) head listToAttrs match split;
5 inherit (config.security) pass;
7 let dir = match "^(.+)/[^/]*$" p; in
8 if dir == [] then "." else head dir;
10 lib.concatMapStrings (s: if lib.isList s then "-" else s)
11 (split "[^a-zA-Z0-9_.\\-]+" name);
14 options.security.pass = {
15 store = lib.mkOption {
18 Default path to the password-store of the orchestrating system.
21 secrets = lib.mkOption {
23 type = types.attrsOf (types.submodule ({name, config, ...}: {
27 default = builtins.path {
28 path = toString pass.store + "/${name}.gpg";
29 name = "${escapeUnitName name}.gpg";
32 The path to the gnupg-encrypted secret.
33 It will be copied into the Nix store of the orchestrating and of the target system.
34 It must be decipherable by an OpenPGP key within <literal>gnupgHome</literal>,
35 whose passhrase is on the target system into <literal>passphraseFile</literal>.
36 Defaults to the name of the secret, prefixed by <literal>passwordStore</literal>
37 and suffixed by <literal>.gpg</literal>.
40 gnupgHome = lib.mkOption {
42 default = "/root/.gnupg";
44 The directory on the target system to the <literal>gnupg</literal> home
45 used to decrypt the secret.
48 passphraseFile = lib.mkOption {
50 default = "/root/key.pass";
52 The directory on the target system to a file containing
53 the password of an OpenPGP key in <literal>gnupgHome</literal>,
54 to which <literal>gpg</literal> secret is encrypted to.
61 Permission mode of the secret <literal>path</literal>.
68 Owner of the secret <literal>path</literal>.
71 group = lib.mkOption {
75 Group of the secret <literal>path</literal>.
79 type = types.nullOr types.str;
82 Shell command taking the deciphered secret on its standard input
83 and which must put on its standard output
84 the actual material to be installed.
85 This allows to decorate the secret with non-secret bits.
91 apply = p: if match "^/.*" p == null then "/run/pass-secrets/"+p+"/file" else p;
93 The path on the target system where the secret is installed to.
94 Any non-absolute path is relative to <filename>/run/pass-secrets</filename>.
95 Default to the name of the secret.
98 service = lib.mkOption {
100 default = "secret-" + escapeUnitName name + ".service";
102 The name of the systemd service.
103 Useful to put constraints like <literal>after</literal> or <literal>wants</wants>
104 into services requiring this secret.
107 postStart = lib.mkOption {
110 example = "systemctl reload nginx.service";
112 Commands to run after new secrets go live. Typically
113 the web server and other servers using secrets need to
121 config = lib.mkIf (pass.secrets != {}) {
122 #systemd.tmpfiles.rules = [ "d /run/secrets 0755 root root -" ];
124 lib.mapAttrs' (target: secret:
125 lib.nameValuePair (lib.removeSuffix ".service" secret.service) {
126 description = "Install secret ${secret.path}";
127 after = [ "network.target" "network-online.target" ];
128 wantedBy = lib.mkIf (!config.boot.isContainer) [ "multi-user.target" ];
134 ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \
135 --homedir '${secret.gnupgHome}' \
136 --passphrase-file '${secret.passphraseFile}' \
137 --decrypt '${secret.gpg}' \
138 ${lib.optionalString (secret.pipe != null) (" | "+secret.pipe)}
140 install -D -m '${secret.mode}' -o '${secret.user}' -g '${secret.group}' /dev/stdin \
143 while ! decrypt; do sleep 1; done
145 inherit (secret) postStart;
149 WorkingDirectory = dirname secret.gnupgHome;
150 } // lib.optionalAttrs (match "^/.*" target == null) {
151 RuntimeDirectory = dirname secret.path;
152 RuntimeDirectoryMode = "711";
153 RuntimeDirectoryPreserve = false; # FIXME: when does the removal actualy occur with with Type=oneshot?