servers/mermet/security.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (config.security) pass;
   4   rootKey = "root/key";
   5 in
   6 {
   7 imports = [
   8   #<nixpkgs/nixos/modules/profiles/hardened.nix>
   9 ];
  10 security.pass = {
  11   store = ../../../sec/pass/servers/mermet;
  12   secrets."${rootKey}" = {
  13     # Symmetrically decrypt and load the rootKey into root's gnupg secret keyring.
  14     postStart = ''
  15       ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \
  16        --passphrase-file /${rootKey}.pass \
  17        --import '${pass.secrets."${rootKey}".path}'
  18       shred -u '${pass.secrets."${rootKey}".path}'
  19     '';
  20   };
  21 };
  22 install.ssh-nixos = {
  23   PATH = with pkgs; [gnupg openssh];
  24   # Decrypt the rootKey passphrase and send it to the target host.
  25   script = lib.mkBefore ''
  26     gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
  27     ssh '${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass
  28   '';
  29 };
  30 systemd.services = lib.mapAttrs' (target: secret:
  31   # Start the rootKey service before the other services decrypting secrets.
  32   lib.nameValuePair (lib.removeSuffix ".service" secret.service)
  33     (lib.optionalAttrs (target != "${rootKey}") {
  34       after = [ pass.secrets."${rootKey}".service ];
  35       wants = [ pass.secrets."${rootKey}".service ];
  36     })
  37   ) pass.secrets;
  38 }