machines/mermet/security.nix

   1 { flakes, pkgs, lib, config, machineName, ... }:
   2 let
   3   inherit (config.security) gnupg;
   4   rootKey = "root/key";
   5   initrdKey = "initrd/ssh.key";
   6   keygrip = "89F52A879E0019A966503AFFDE72EEA84CDFA3A7";
   7 in
   8 {
   9 imports = [
  10   #<nixpkgs/nixos/modules/profiles/hardened.nix>
  11 ];
  12 security.gnupg.store = flakes.pass + "/machines/${machineName}";
  13 services.openssh.extraConfig = ''
  14   StreamLocalBindUnlink yes
  15 '';
  16 /*
  17 installer.ssh-nixos = {
  18   PATH = [pkgs.gnupg pkgs.openssh];
  19   script = lib.mkMerge [
  20     (lib.mkBefore ''
  21       # Send the SSH key of the initrd
  22       gpg --decrypt '${gnupg.store}/${initrdKey}.gpg' |
  23       ssh '${config.installer.ssh-nixos.target}' \
  24       install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
  25     '')
  26     (lib.mkBefore ''
  27       ssh '${config.installer.ssh-nixos.target}' \
  28       "gpg-connect-agent --no-autostart --homedir /var/lib/gnupg 'keyinfo --list' /bye 2>&1" |
  29       grep -qx -e "gpg-connect-agent: no gpg-agent running in this session" \
  30                -e "S KEYINFO ${keygrip} . . . 1 .*" || {
  31         # Send the rootKey
  32         gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
  33         gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
  34         ssh '${config.installer.ssh-nixos.target}' \
  35         gpg --no-autostart --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import
  36
  37         # Send the rootKey's passphrase
  38         gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
  39         ssh '${config.installer.ssh-nixos.target}' \
  40         gpg-preset-passphrase --homedir /var/lib/gnupg --preset ${keygrip}
  41       }
  42     '')
  43   ];
  44 };
  45 */
  46 boot.initrd.network.ssh.hostKeys = [ "/root/${initrdKey}" ];
  47 }