]> Git — Sourcephile - sourcephile-nix.git/blob - shell/gnupg.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nix: servers.nix -> machines.nix
[sourcephile-nix.git] / shell / gnupg.nix
1 { pkgs, lib, config, ... }:
2 {
3 gnupg.keys = {
4 "Julien Moutinho <julm@sourcephile.fr>" = {
5 uid = "Julien Moutinho <julm@sourcephile.fr>";
6 algo = "rsa4096";
7 expire = "3y";
8 usage = ["cert" "sign"];
9 passPath = "members/julm/gpg/password";
10 subKeys = [
11 { algo = "rsa4096"; expire = "3y"; usage = ["sign"]; }
12 { algo = "rsa4096"; expire = "3y"; usage = ["encrypt"]; }
13 { algo = "rsa4096"; expire = "3y"; usage = ["auth"]; }
14 ];
15 backupRecipients = [""];
16 };
17 "Julien Moutinho <julm@mermet>" = {
18 uid = "Julien Moutinho <julm@mermet>";
19 algo = "rsa4096";
20 expire = "3y";
21 usage = ["cert" "sign"];
22 passPath = "members/julm/gpg/password";
23 subKeys = [
24 { algo = "rsa4096"; expire = "3y"; usage = ["sign"]; }
25 { algo = "rsa4096"; expire = "3y"; usage = ["encrypt"]; }
26 { algo = "rsa4096"; expire = "3y"; usage = ["auth"]; }
27 ];
28 backupRecipients = [""];
29 };
30 } // lib.listToAttrs (
31 let domain = "sourcephile.fr"; in
32 builtins.map (srv: lib.nameValuePair "root@${srv}.${domain}" {
33 uid = "root@${srv}.${domain}";
34 algo = "rsa4096";
35 expire = "0";
36 usage = ["cert" "sign"];
37 passPath = "machines/${srv}/root/key.pass";
38 subKeys = [
39 { algo = "rsa4096"; expire = "0"; usage = ["encrypt"]; }
40 ];
41 backupRecipients = [""];
42 # This encrypt subkey is put into a root/key.gpg, and then on the Nix stores,
43 # to decrypt machines."${srv}".security.pass.secrets .
44 # Its passphrase in root/key.pass is decrypted and sent by ssh before each call to nix copy
45 # by adding to machines."${srv}".install.nixos-ssh.script .
46 postRun = ''
47 info " generate $GNUPGHOME/machines/${srv}/root/key.gpg"
48 test -s "$GNUPGHOME/machines/${srv}/root/key.gpg" || {
49 mkdir -p "$GNUPGHOME/machines/${srv}/root"
50 ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback --export-secret-keys --armor \
51 --passphrase-fd 3 3< <(${pkgs.gnupg}/bin/gpg --decrypt "$PASSWORD_STORE_DIR/machines/${srv}/root/key.pass.gpg") \
52 --export-options export-minimal @root@${srv}.${domain} |
53 ${pkgs.gnupg}/bin/gpg --symmetric --batch --pinentry-mode loopback \
54 --passphrase-fd 3 3< <(${pkgs.gnupg}/bin/gpg --decrypt "$PASSWORD_STORE_DIR/machines/${srv}/root/key.pass.gpg") \
55 --output "$GNUPGHOME/machines/${srv}/root/key.gpg"
56 }
57 '';
58 }) (builtins.attrNames (import ../machines.nix)));
59 }
NixOS configurations for Sourcephile's infrastructure