servers/mermet/security.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (config.security) pass;
   4   rootKey = "root/key";
   5   initrdKey = "initrd/ssh.key";
   6 in
   7 {
   8 imports = [
   9   <nixpkgs/nixos/modules/profiles/hardened.nix>
  10 ];
  11 security.pass = {
  12   store = ../../../sec/pass/servers/mermet;
  13   secrets."${rootKey}" = {
  14     gpg = ../../../sec/gnupg/servers/mermet/root/key.gpg;
  15     # Symmetrically decrypt and load the rootKey into root's gnupg secret keyring.
  16     postStart = ''
  17       ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \
  18        --passphrase-file /${rootKey}.pass \
  19        --import '${pass.secrets."${rootKey}".path}'
  20       shred -u '${pass.secrets."${rootKey}".path}'
  21     '';
  22   };
  23 };
  24 install.ssh-nixos = {
  25   PATH = with pkgs; [gnupg openssh];
  26   # Decrypt the rootKey passphrase and the initrd SSH host key
  27   # and send them to the target host.
  28   script = lib.mkBefore ''
  29     gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
  30     ssh '${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass
  31     gpg --decrypt '${pass.store}/${initrdKey}.gpg' |
  32     ssh '${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
  33   '';
  34 };
  35 boot.initrd.network.ssh.hostKeys = [ "/root/${initrdKey}" ];
  36 systemd.services = lib.mapAttrs' (target: secret:
  37   # Start the rootKey service before the other services decrypting secrets.
  38   lib.nameValuePair (lib.removeSuffix ".service" secret.service)
  39     (lib.optionalAttrs (target != "${rootKey}") {
  40       after = [ pass.secrets."${rootKey}".service ];
  41       wants = [ pass.secrets."${rootKey}".service ];
  42     })
  43   ) pass.secrets;
  44 }