-{ pkgs, lib, config, ... }:
+{ flakes, pkgs, lib, config, machineName, ... }:
let
- inherit (config.security) pass;
+ inherit (config.security) gnupg;
rootKey = "root/key";
initrdKey = "initrd/ssh.key";
+ keygrip = "89F52A879E0019A966503AFFDE72EEA84CDFA3A7";
in
{
imports = [
- <nixpkgs/nixos/modules/profiles/hardened.nix>
+ #<nixpkgs/nixos/modules/profiles/hardened.nix>
];
-security.pass = {
- store = ../../../sec/pass/machines/mermet;
- secrets."${rootKey}" = {
- gpg = ../../../sec/gnupg/machines/mermet/root/key.gpg;
- # Symmetrically decrypt and load the rootKey into root's gnupg secret keyring.
- postStart = ''
- ${pkgs.gnupg}/bin/gpg --batch --pinentry-mode loopback \
- --passphrase-file /${rootKey}.pass \
- --import '${pass.secrets."${rootKey}".path}'
- shred -u '${pass.secrets."${rootKey}".path}'
- '';
- };
-};
-install.ssh-nixos = {
- PATH = with pkgs; [gnupg openssh];
- # Decrypt the rootKey passphrase and the initrd SSH host key
- # and send them to the target host.
- script = lib.mkBefore ''
- gpg --decrypt '${pass.store}/${rootKey}.pass.gpg' |
- ssh root@'${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /${rootKey}.pass
- gpg --decrypt '${pass.store}/${initrdKey}.gpg' |
- ssh root@'${config.install.ssh-nixos.target}' install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
- '';
+security.gnupg.store = flakes.pass + "/machines/${machineName}";
+services.openssh.extraConfig = ''
+ StreamLocalBindUnlink yes
+'';
+/*
+installer.ssh-nixos = {
+ PATH = [pkgs.gnupg pkgs.openssh];
+ script = lib.mkMerge [
+ (lib.mkBefore ''
+ # Send the SSH key of the initrd
+ gpg --decrypt '${gnupg.store}/${initrdKey}.gpg' |
+ ssh '${config.installer.ssh-nixos.target}' \
+ install -D -m 400 -o root -g root /dev/stdin /root/${initrdKey}
+ '')
+ (lib.mkBefore ''
+ ssh '${config.installer.ssh-nixos.target}' \
+ "gpg-connect-agent --no-autostart --homedir /var/lib/gnupg 'keyinfo --list' /bye 2>&1" |
+ grep -qx -e "gpg-connect-agent: no gpg-agent running in this session" \
+ -e "S KEYINFO ${keygrip} . . . 1 .*" || {
+ # Send the rootKey
+ gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
+ gpg --batch --pinentry-mode loopback --passphrase-fd 0 --export-secret-subkeys @root@${machineName} |
+ ssh '${config.installer.ssh-nixos.target}' \
+ gpg --no-autostart --homedir /var/lib/gnupg --no-autostart --batch --pinentry-mode loopback --import
+
+ # Send the rootKey's passphrase
+ gpg --decrypt '${gnupg.store}/${rootKey}.pass.gpg' |
+ ssh '${config.installer.ssh-nixos.target}' \
+ gpg-preset-passphrase --homedir /var/lib/gnupg --preset ${keygrip}
+ }
+ '')
+ ];
};
+*/
boot.initrd.network.ssh.hostKeys = [ "/root/${initrdKey}" ];
-systemd.services = lib.mapAttrs' (target: secret:
- # Start the rootKey service before the other services decrypting secrets.
- lib.nameValuePair (lib.removeSuffix ".service" secret.service)
- (lib.optionalAttrs (target != "${rootKey}") {
- after = [ pass.secrets."${rootKey}".service ];
- wants = [ pass.secrets."${rootKey}".service ];
- })
- ) pass.secrets;
}
sourcephile / git / sourcephile-nix.git / blobdiff