1 { pkgs, lib, config, ... }:
3 inherit (config.security) pass;
5 initrdKey = "initrd/ssh.key";
9 <nixpkgs/nixos/modules/profiles/hardened.nix>
12 store = ../../../sec/pass/machines/mermet;
13 secrets."${rootKey}" = {
14 gpg = ../../../sec/gnupg/machines/mermet/root/key.gpg;
15 # Symmetrically decrypt and load the rootKey into root's gnupg secret keyring.
17 ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \
18 --passphrase-file /${rootKey}.pass \
19 --import '${pass.secrets."${rootKey}".path}'
20 shred -u '${pass.secrets."${rootKey}".path}'
24 installer.ssh-nixos = {
25 PATH = with pkgs; [gnupg openssh];
26 # Decrypt the rootKey passphrase and the initrd SSH host key
27 # and send them to the target host.
28 script = lib.mkBefore ''
29 gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
30 ssh '${config.installer.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass
31 gpg --decrypt '${pass.store}/${initrdKey}.gpg' |
32 ssh '${config.installer.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
35 boot.initrd.network.ssh.hostKeys = [ "/root/${initrdKey}" ];
36 systemd.services = lib.mapAttrs' (target: secret:
37 # Start the rootKey service before the other services decrypting secrets.
38 lib.nameValuePair (lib.removeSuffix ".service" secret.service)
39 (lib.optionalAttrs (target != "${rootKey}") {
40 after = [ pass.secrets."${rootKey}".service ];
41 wants = [ pass.secrets."${rootKey}".service ];