1 diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
2 index f361163ca63..5e306de7dad 100644
3 --- a/nixos/modules/module-list.nix
4 +++ b/nixos/modules/module-list.nix
6 ./security/lock-kernel-modules.nix
11 ./security/pam_usb.nix
12 ./security/pam_mount.nix
13 diff --git a/nixos/modules/security/pass.nix b/nixos/modules/security/pass.nix
15 index 00000000000..bf72d06e1ea
17 +++ b/nixos/modules/security/pass.nix
19 +{ pkgs, lib, config, ... }:
21 + inherit (builtins) dirOf head listToAttrs match split;
22 + inherit (lib) types;
23 + inherit (config.security) pass;
24 + escapeUnitName = name:
25 + lib.concatMapStrings (s: if lib.isList s then "-" else s)
26 + (split "[^a-zA-Z0-9_.\\-]+" name);
29 +options.security.pass = {
30 + store = lib.mkOption {
33 + Default path to the password-store of the orchestrating system.
35 + # Does not copy the entire password-store into the Nix store,
36 + # only the keys actually used will be.
39 + secrets = lib.mkOption {
41 + type = types.attrsOf (types.submodule ({name, config, ...}: {
43 + gpg = lib.mkOption {
45 + default = builtins.path {
46 + path = pass.store + "/${name}.gpg";
47 + name = "${escapeUnitName name}.gpg";
50 + The path to the gnupg-encrypted secret.
51 + It will be copied into the Nix store of the orchestrating and of the target system.
52 + It must be decipherable by an OpenPGP key within <literal>gnupgHome</literal>,
53 + whose passhrase is on the target system into <literal>passphraseFile</literal>.
54 + Defaults to the name of the secret, prefixed by <literal>passwordStore</literal>
55 + and suffixed by <literal>.gpg</literal>.
58 + gnupgHome = lib.mkOption {
60 + default = "/root/.gnupg";
62 + The directory on the target system to the <literal>gnupg</literal> home
63 + used to decrypt the secret.
66 + passphraseFile = lib.mkOption {
68 + default = "/root/key.pass";
70 + The directory on the target system to a file containing
71 + the password of an OpenPGP key in <literal>gnupgHome</literal>,
72 + to which <literal>gpg</literal> secret is encrypted to.
75 + mode = lib.mkOption {
79 + Permission mode of the secret <literal>path</literal>.
82 + user = lib.mkOption {
86 + Owner of the secret <literal>path</literal>.
89 + group = lib.mkOption {
93 + Group of the secret <literal>path</literal>.
96 + pipe = lib.mkOption {
97 + type = types.nullOr types.str;
100 + Shell command taking the deciphered secret on its standard input
101 + and which must put on its standard output
102 + the actual material to be installed.
103 + This allows to decorate the secret with non-secret bits.
106 + path = lib.mkOption {
109 + apply = p: if match "^/.*" p == null then "/run/pass-secrets/"+p+"/file" else p;
111 + The path on the target system where the secret is installed to.
112 + Any non-absolute path is relative to <filename>/run/pass-secrets</filename>.
113 + Default to the name of the secret.
116 + service = lib.mkOption {
118 + default = "secret-" + escapeUnitName name + ".service";
120 + The name of the systemd service.
121 + Useful to put constraints like <literal>after</literal> or <literal>wants</wants>
122 + into services requiring this secret.
125 + postStart = lib.mkOption {
126 + type = types.lines;
128 + example = "systemctl reload nginx.service";
130 + Commands to run after new secrets go live.
131 + Typically the web server and other servers using secrets
132 + need to be reloaded.
135 + postStop = lib.mkOption {
136 + type = types.lines;
138 + example = ''shred -u "$secret_file"'';
140 + Commands to run after stopping the service.
141 + Typically removing a persistent secret.
148 +config = lib.mkIf (pass.secrets != {}) {
150 + lib.mapAttrs' (target: secret:
151 + lib.nameValuePair (lib.removeSuffix ".service" secret.service) {
152 + description = "Install secret ${secret.path}";
158 + ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \
159 + --passphrase-file '${secret.passphraseFile}' \
160 + --decrypt '${secret.gpg}' \
161 + ${lib.optionalString (secret.pipe != null) (" | "+secret.pipe)}
163 + install -D -m '${secret.mode}' -o '${secret.user}' -g '${secret.group}' /dev/stdin \
166 + while ! decrypt; do sleep $((1 + ($RANDOM % 10))); done
168 + postStart = lib.optionalString (secret.postStart != "") ''
170 + ${secret.postStart}
172 + postStop = lib.optionalString (secret.postStop != "") ''
173 + secret_file='${secret.path}'
177 + restartIfChanged = true;
178 + restartTriggers = [
179 + secret.passphraseFile
184 + Environment = "GNUPGHOME=${secret.gnupgHome}";
186 + RemainAfterExit = true;
187 + WorkingDirectory = dirOf secret.gnupgHome;
188 + } // lib.optionalAttrs (match "^/.*" target == null) {
189 + RuntimeDirectory = lib.removePrefix "/run/" (dirOf secret.path);
190 + RuntimeDirectoryMode = "711";
191 + RuntimeDirectoryPreserve = false;
196 +meta.maintainers = with lib.maintainers; [ julm ];