1 { pkgs, lib, config, ... }:
3 inherit (config.security) pass;
8 <nixpkgs/nixos/modules/profiles/hardened.nix>
11 store = ../../../sec/pass/servers/losurdo;
12 secrets."${rootKey}" = {};
15 PATH = with pkgs; [gnupg openssh];
16 # Decrypt the rootKey passphrase and send it to the target host.
17 script = lib.mkBefore ''
18 gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
19 ssh '${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass
22 systemd.services = lib.mapAttrs' (target: secret:
23 # Start the rootKey service before the other services decrypting secrets.
24 lib.nameValuePair (lib.removeSuffix ".service" secret.service)
25 (lib.optionalAttrs (target != "${rootKey}") {
26 after = [ pass.secrets."${rootKey}".service ];
27 wants = [ pass.secrets."${rootKey}".service ];
30 # Symmetrically decrypt and load the rootKey into root's gnupg secret keyring.
31 "${lib.removeSuffix ".service" (pass.secrets."${rootKey}".service)}".postStart = ''
33 ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \
34 --passphrase-file /${rootKey}.pass \
35 --import '${pass.secrets."${rootKey}".path}'
36 shred -u '${pass.secrets."${rootKey}".path}'