servers/losurdo/security.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (config.security) pass;
   4   rootKey = "root/key";
   5 in
   6 {
   7 imports = [
   8   <nixpkgs/nixos/modules/profiles/hardened.nix>
   9 ];
  10 security.pass = {
  11   store = ../../../sec/pass/servers/losurdo;
  12   secrets."${rootKey}" = {};
  13 };
  14 install.ssh-nixos = {
  15   PATH = with pkgs; [gnupg openssh];
  16   # Decrypt the rootKey passphrase and send it to the target host.
  17   script = lib.mkBefore ''
  18     gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
  19     ssh '${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass
  20   '';
  21 };
  22 systemd.services = lib.mapAttrs' (target: secret:
  23   # Start the rootKey service before the other services decrypting secrets.
  24   lib.nameValuePair (lib.removeSuffix ".service" secret.service)
  25     (lib.optionalAttrs (target != "${rootKey}") {
  26       after = [ pass.secrets."${rootKey}".service ];
  27       wants = [ pass.secrets."${rootKey}".service ];
  28     })
  29   ) pass.secrets // {
  30   # Symmetrically decrypt and load the rootKey into root's gnupg secret keyring.
  31  "${lib.removeSuffix ".service" (pass.secrets."${rootKey}".service)}".postStart = ''
  32     set -x
  33     ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \
  34      --passphrase-file /${rootKey}.pass \
  35      --import '${pass.secrets."${rootKey}".path}'
  36     shred -u '${pass.secrets."${rootKey}".path}'
  37   '';
  38 };
  39 }