machines/losurdo/security.nix

   1 { pkgs, lib, config, machineName, ... }:
   2 let
   3   inherit (config.security) gnupg;
   4   rootKey = "root/key";
   5   initrdKey = "initrd/ssh.key";
   6   keygrip = "9AA84E6F6D71F9163C46BF396B141A0806219077";
   7 in
   8 {
   9 imports = [
  10   <nixpkgs/nixos/modules/profiles/hardened.nix>
  11 ];
  12 security.gnupg.store = builtins.getEnv "PASSWORD_STORE_DIR" + "/machines/${machineName}";
  13 services.openssh.extraConfig = ''
  14   StreamLocalBindUnlink yes
  15 '';
  16 installer.ssh-nixos = {
  17   PATH = [pkgs.gnupg pkgs.openssh];
  18   sshFlags = [
  19     #"-R" "/var/lib/gnupg/S.gpg-agent.extra:/run/user/1000/gnupg/d.w1sj57hx3zfcwadyxpr6wko9/S.gpg-agent.extra"
  20     #"-o" "StreamLocalBindUnlink=yes"
  21   ];
  22   script = lib.mkMerge [
  23     (lib.mkBefore ''
  24       # Send the SSH key of the initrd
  25       gpg --decrypt '${gnupg.store}/${initrdKey}.gpg' |
  26       ssh '${config.installer.ssh-nixos.target}' \
  27       install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
  28     '')
  29     (lib.mkBefore ''
  30       gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
  31       gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
  32       ssh '${config.installer.ssh-nixos.target}' \
  33       install -D -d -m 640 /run/user/0/gnupg/d.6qoenf9br6fajbkknuz1i6ts '&&' \
  34       gpg --no-autostart --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import || true
  35
  36       # Send the rootKey's passphrase
  37       gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
  38       ssh '${config.installer.ssh-nixos.target}' \
  39       install -D -d -m 640 /run/user/0/gnupg/d.6qoenf9br6fajbkknuz1i6ts '&&' \
  40       gpg-preset-passphrase \
  41         --homedir /var/lib/gnupg \
  42         --preset ${keygrip} || true
  43     '')
  44   ];
  45   /*
  46     # Send the rootKey
  47     gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
  48     gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
  49     ssh '${config.installer.ssh-nixos.target}' \
  50     gpg --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import
  51
  52       gpg --batch --export @root@${machineName} |
  53       ssh '${config.installer.ssh-nixos.target}' \
  54       gpg --no-autostart --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import
  55   */
  56
  57 };
  58 boot.initrd.network.ssh.hostKeys = [ "/root/${initrdKey}" ];
  59 }