nix: move to flake.nix

[sourcephile-nix.git] / nixpkgs / patches / security.gnupg.diff

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index f361163ca63..8c199f0fc25 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -193,6 +193,7 @@
   ./security/lock-kernel-modules.nix
   ./security/misc.nix
   ./security/oath.nix
+  ./security/gnupg.nix
   ./security/pam.nix
   ./security/pam_usb.nix
   ./security/pam_mount.nix
diff --git a/nixos/modules/security/gnupg.nix b/nixos/modules/security/gnupg.nix
new file mode 100644
index 00000000000..aa29425a530
--- /dev/null
+++ b/nixos/modules/security/gnupg.nix
@@ -0,0 +1,259 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (builtins) attrNames dirOf length match split;
+  inherit (lib) types;
+  cfg = config.security.gnupg;
+  gnupgHome = "/var/lib/gnupg";
+  # Escape as required by: https://www.freedesktop.org/software/systemd/man/systemd.unit.html
+  escapeUnitName = name:
+    lib.concatMapStrings (s: if lib.isList s then "-" else s)
+    (split "[^a-zA-Z0-9_.\\-]+" name);
+in
+{
+options.security.gnupg = {
+  store = lib.mkOption {
+    type = types.path;
+    default = "/root/.password-store";
+    description = ''
+      Default base path for the <literal>gpg</literal> option
+      of the <link linkend="opt-security.gnupg.secrets">secrets</link>.
+      Note that you may set it up with something like:
+      <literal>builtins.getEnv "PASSWORD_STORE_DIR" + "/machines/example"</literal>.
+    '';
+    # Does not copy the entire password-store into the Nix store,
+    # only the keys actually used will be.
+    apply = toString;
+  };
+  secrets = lib.mkOption {
+    description = "Available secrets.";
+    default = {};
+    example = {
+      "/root/.ssh/id_ed25519" = {};
+      "knot/tsig/example.org/acme.conf" = {
+        user = "knot";
+      };
+      "lego/example.org/rfc2136" = {
+        pipe = "
+          cat -
+          cat <EOF
+          RFC2136_NAMESERVER=ns.example.org:53
+          RFC2136_TSIG_ALGORITHM=hmac-sha256.
+          RFC2136_TSIG_KEY=acme_example_org
+          RFC2136_PROPAGATION_TIMEOUT=1000
+          RFC2136_POLLING_INTERVAL=30
+          RFC2136_SEQUENCE_INTERVAL=30
+          RFC2136_DNS_TIMEOUT=1000
+          RFC2136_TTL=1
+          EOF
+        ";
+      };
+    };
+    type = types.attrsOf (types.submodule ({name, config, ...}: {
+      options = {
+        gpg = lib.mkOption {
+          type = types.path;
+          default = cfg.store + "/${name}.gpg";
+          description = ''
+            The path to the GnuPG-encrypted secret.
+            It will be copied into the Nix store of the orchestrating and of the target system.
+            It must be decipherable by an OpenPGP key within the GnuPG home <filename>/var/lib/gnupg/</filename>.
+            Defaults to the name of the secret,
+            prefixed by the path of the <link linkend="opt-security.gnupg.store">store</link>
+            and suffixed by <filename>.gpg</filename>.
+          '';
+        };
+        mode = lib.mkOption {
+          type = types.str;
+          default = "400";
+          description = ''
+            Permission mode of the secret <literal>path</literal>.
+          '';
+        };
+        user = lib.mkOption {
+          type = types.str;
+          default = "root";
+          description = ''
+            Owner of the secret <literal>path</literal>.
+          '';
+        };
+        group = lib.mkOption {
+          type = types.str;
+          default = "root";
+          description = ''
+            Group of the secret <literal>path</literal>.
+          '';
+        };
+        pipe = lib.mkOption {
+          type = types.nullOr types.str;
+          default = null;
+          apply = x: if x == null then null else pkgs.writeShellScript "pipe" x;
+          description = ''
+            Shell script taking the deciphered secret on its standard input
+            and which must put on its standard output
+            the actual secret material to be installed.
+            This allows to decorate the secret with non-secret bits.
+          '';
+        };
+        path = lib.mkOption {
+          type = types.str;
+          default = name;
+          apply = p: if match "^/.*" p == null then "/run/keys/gnupg/"+p+"/file" else p;
+          description = ''
+            The path on the target system where the secret is installed to.
+            Default to the name of the secret,
+            prefixed by <filename>/run/keys/gnupg/</filename>
+            and suffixed by <filename>/file</filename>,
+            if non-absolute.
+          '';
+        };
+        service = lib.mkOption {
+          type = types.str;
+          default = "secret-" + escapeUnitName name + ".service";
+          description = ''
+            The name of the systemd service.
+            Useful to put constraints like <literal>after</literal> or <literal>wants</wants>
+            into services requiring this secret.
+          '';
+        };
+        postStart = lib.mkOption {
+          type = types.lines;
+          default = "";
+          example = "systemctl reload nginx.service";
+          description = ''
+            Commands to run after new secrets go live.
+            Typically the web server and other servers using secrets
+            need to be reloaded.
+          '';
+        };
+        postStop = lib.mkOption {
+          type = types.lines;
+          default = "";
+          example = ''shred -u "$secret_file"'';
+          description = ''
+            Commands to run after stopping the service.
+            Typically removing a persistent secret.
+            For convenience the <literal>path</literal> of the secret
+            is provided in the shell variable <literal>secret_file</literal>.
+          '';
+        };
+      };
+    }));
+  };
+  enableGpgAgent = lib.mkEnableOption ''gpg-agent for decrypting secrets.
+
+    Otherwise, you'll have to forward an <literal>agent-extra-socket</literal>:
+    <screen>
+    <prompt>$ </prompt>ssh -nNT root@example.org -o StreamLocalBindUnlink=yes -R /var/lib/gnupg/S.gpg-agent:$(gpgconf --list-dirs agent-extra-socket)
+    </screen>
+  '' // {default = true; example = false;};
+  gpgAgentFlags = lib.mkOption {
+    type = types.listOf types.str;
+    default = [
+      "--default-cache-ttl" "600"
+      "--max-cache-ttl" "7200"
+    ];
+    description = ''
+      Extra flags passed to the <literal>gpg-agent</literal>
+      used to decrypt secrets.
+    '';
+  };
+};
+config = lib.mkIf (cfg.secrets != {}) {
+  # Because /run/user/0 is wiped out by pam_systemd when root logouts,
+  # systemd.services.gpg-agent cannot put its socket in
+  # the path expected by gpg: /run/user/0/gnupg/d.6qoenf9br6fajbkknuz1i6ts
+  # derived from ${gnupgHome}, since this removal would kill gpg-agent.
+  #
+  # Unfortunately, for reaching such a persistent gpg-agent,
+  # GPG_AGENT_INFO can no longer be used as it is ignored with gpg >= 2.1,
+  # hence three different hacks are done here to make gpg connect
+  # to ${gnupgHome}/S.gpg-agent depending on the concern:
+  # - For gpg-agent, --supervised mode is used to pass it a socket
+  #   in the persistent directory gnupgHome.
+  # - For the root user, on its login pam_systemd is mounting a fresh tmpfs on /run/user/0
+  #   so wrong perms are set on /run/user/0/gnupg/d.6qoenf9br6fajbkknuz1i6ts
+  #   when /run/user/0 is mounted, by overriding user-runtime-dir@.service
+  # - For secret decrypting services, /run/user/0/gnupg
+  #   is emptied and kept empty by privately mounting
+  #   an empty directory on it, using BindReadOnlyPaths=
+  systemd.sockets."gpg-agent" = lib.optionalAttrs cfg.enableGpgAgent {
+    description = "Socket for gpg-agent";
+    wantedBy = ["sockets.target"];
+    socketConfig.ListenStream = "${gnupgHome}/S.gpg-agent";
+    socketConfig.SocketMode = "0600";
+  };
+  environment.systemPackages = [ pkgs.gnupg ];
+  systemd.packages = [
+    # Here, passing by systemd.packages is kind of a hack to be able to
+    # write this file which is neither writable using environment.etc
+    # (because environment.etc."systemd/system".source is set)
+    # nor using systemd.services (because systemd.services."user-runtime-dir@0"
+    # does not exist, and should not to keep using systemd's upstream template
+    # and systemd.services."user-runtime-dir@").
+    (pkgs.writeTextDir "etc/systemd/system/user-runtime-dir@0.service.d/override.conf" ''
+      [Service]
+      ExecStartPost=${pkgs.writeShellScript "redirect-gpg-agent-run-socket" ''
+        install -D -d -m 640 /run/user/0/gnupg/d.6qoenf9br6fajbkknuz1i6ts
+      ''}
+    '')
+  ];
+  systemd.services =
+    lib.optionalAttrs cfg.enableGpgAgent {
+      gpg-agent = {
+        description = "gpg-agent for decrypting GnuPG-protected secrets";
+        requires = ["gpg-agent.socket"];
+        serviceConfig = {
+          Type = "simple";
+          ExecStart = ''${pkgs.gnupg}/bin/gpg-agent \
+           --supervised \
+           --homedir '${gnupgHome}' \
+           --allow-loopback-pinentry \
+           --allow-preset-passphrase \
+           ${lib.escapeShellArgs cfg.gpgAgentFlags}
+          '';
+          Restart = "on-failure";
+          RestartSec = 5;
+          StateDirectory = ["gnupg"];
+          StateDirectoryMode = "700";
+        };
+      };
+    } //
+    lib.mapAttrs' (target: secret:
+      lib.nameValuePair (lib.removeSuffix ".service" secret.service) {
+        description = "Install secret ${secret.path}";
+        after = ["gpg-agent.service"];
+        wants = ["gpg-agent.service"];
+        script = ''
+          set -o pipefail
+          set -eux
+          decrypt() {
+            ${pkgs.gnupg}/bin/gpg --homedir '${gnupgHome}' --no-autostart --batch --decrypt ${lib.escapeShellArg secret.gpg} |
+            ${lib.optionalString (secret.pipe != null) (secret.pipe+" |")} \
+            install -D -m '${secret.mode}' -o '${secret.user}' -g '${secret.group}' /dev/stdin ${lib.escapeShellArg secret.path}
+          }
+          while ! decrypt; do sleep $((1 + ($RANDOM % ${toString (length (attrNames cfg.secrets))}))); done
+        '';
+        postStart = lib.optionalString (secret.postStart != "") ''
+          set -eux
+          ${secret.postStart}
+        '';
+        postStop = lib.optionalString (secret.postStop != "") ''
+          secret_file='${secret.path}'
+          set -eux
+          ${secret.postStop}
+        '';
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          PrivateTmp = true;
+          InaccessiblePaths = [ "/run/user" ];
+        } // lib.optionalAttrs (match "^/.*" target == null) {
+          RuntimeDirectory = lib.removePrefix "/run/" (dirOf secret.path);
+          RuntimeDirectoryMode = "711";
+          RuntimeDirectoryPreserve = false;
+        };
+      }
+    ) cfg.secrets;
+};
+meta.maintainers = with lib.maintainers; [ julm ];
+}
diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix
index 7c095cffa31..f7f35d659c4 100644
--- a/pkgs/tools/security/gnupg/22.nix
+++ b/pkgs/tools/security/gnupg/22.nix
@@ -69,6 +69,9 @@ stdenv.mkDerivation rec {
 
     # add gpg2 symlink to make sure git does not break when signing commits
     ln -s $out/bin/gpg $out/bin/gpg2
+
+    # Make libexec tools available in PATH
+    ln -s -t $out/bin $out/libexec/*
   '';
 
   meta = with stdenv.lib; {