1 { pkgs, lib, config, ... }:
3 inherit (config.security) pass;
8 #<nixpkgs/nixos/modules/profiles/hardened.nix>
11 store = ../../../sec/pass/servers/mermet;
12 secrets."${rootKey}" = {
13 # Symmetrically decrypt and load the rootKey into root's gnupg secret keyring.
15 ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \
16 --passphrase-file /${rootKey}.pass \
17 --import '${pass.secrets."${rootKey}".path}'
18 shred -u '${pass.secrets."${rootKey}".path}'
23 PATH = with pkgs; [gnupg openssh];
24 # Decrypt the rootKey passphrase and send it to the target host.
25 script = lib.mkBefore ''
26 gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
27 ssh '${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass
30 systemd.services = lib.mapAttrs' (target: secret:
31 # Start the rootKey service before the other services decrypting secrets.
32 lib.nameValuePair (lib.removeSuffix ".service" secret.service)
33 (lib.optionalAttrs (target != "${rootKey}") {
34 after = [ pass.secrets."${rootKey}".service ];
35 wants = [ pass.secrets."${rootKey}".service ];