]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/security.nix
nix: use nixpkgs/patches/wip.diff instead of nixpkgs/overlays.nix and nixos/modules.nix
[sourcephile-nix.git] / machines / losurdo / security.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (config.security) pass;
4 rootKey = "root/key";
5 initrdKey = "initrd/ssh.key";
6 in
7 {
8 imports = [
9 <nixpkgs/nixos/modules/profiles/hardened.nix>
10 ];
11 security.pass = {
12 store = ../../../sec/pass/machines/losurdo;
13 secrets."${rootKey}" = {
14 gpg = ../../../sec/gnupg/machines/losurdo/root/key.gpg;
15 # Symmetrically decrypt and load the rootKey into root's gnupg secret keyring.
16 postStart = ''
17 set -x
18 ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \
19 --passphrase-file /${rootKey}.pass \
20 --import '${pass.secrets."${rootKey}".path}'
21 shred -u '${pass.secrets."${rootKey}".path}'
22 '';
23 };
24 };
25 install.ssh-nixos = {
26 PATH = with pkgs; [gnupg openssh];
27 # Decrypt the rootKey passphrase and the initrd SSH host key
28 # and send them to the target host.
29 script = lib.mkBefore ''
30 gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
31 ssh 'root@${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass
32 gpg --decrypt '${pass.store}/${initrdKey}.gpg' |
33 ssh 'root@${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
34 '';
35 };
36 boot.initrd.network.ssh.hostKeys = [ "/root/${initrdKey}" ];
37 systemd.services = lib.mapAttrs' (target: secret:
38 # Start the rootKey service before the other services decrypting secrets.
39 lib.nameValuePair (lib.removeSuffix ".service" secret.service)
40 (lib.optionalAttrs (target != "${rootKey}") {
41 after = [ pass.secrets."${rootKey}".service ];
42 wants = [ pass.secrets."${rootKey}".service ];
43 })
44 ) pass.secrets;
45 }