nix: add module security.pass

[sourcephile-nix.git] / servers / losurdo / system.nix

{ pkgs, lib, config, ... }:
let
  inherit (config) networking;
  inherit (config.security) pass;
in
{
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database servers.
# You should change this only after NixOS release notes say you should.
system.stateVersion = "19.09"; # Did you read the comment?

# Avoid the use of systemd-run --user --scope tmux
# and let mosh work smoothly.
services.logind.killUserProcesses = false;

install = {
  enable = true;
  shellScript = lib.mkBefore ''
    PATH="$PATH:${with pkgs; lib.makeBinPath [gnupg openssh]}"
    set -x
    gpg --decrypt '${pass.store}/root/key.pass.gpg' |
    ssh '${config.install.target}' install -D -m 400 -o root -g root /dev/stdin /root/key.pass
  '';
};
security.pass = {
  store = ../../../sec/pass/servers/losurdo;
  secrets."root/key" = {
    postStart = ''
      set -x
      ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \
       --homedir /root/.gnupg \
       --passphrase-file /root/key.pass \
       --import '${pass.secrets."root/key".path}'
      shred -u '${pass.secrets."root/key".path}'
    '';
  };
};
systemd.services = lib.mapAttrs' (target: secret:
  lib.nameValuePair (lib.removeSuffix ".service" secret.service)
    (lib.optionalAttrs (target != "root/key") {
      after = [ pass.secrets."root/key".service ];
      wants = [ pass.secrets."root/key".service ];
    })
  ) pass.secrets;

services.unbound.enable = true;

environment.systemPackages = with pkgs; [
  cryptsetup
  direnv
  file
  fio
  gdb
  git
  gptfdisk
  #hey
  home-manager
  lm_sensors
  rsync
  smartctl-tbw
  socat
  sanoid
  #iptables-nftables-compat
  gnupg
];
}