From a00c276c5c8383b4c4c532ed07561453a9bd29a7 Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 7 Dec 2023 20:17:31 +0100 Subject: [PATCH 1/4] secrets.nix: Document the magic --- secrets.nix | 67 +++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 63 insertions(+), 4 deletions(-) diff --git a/secrets.nix b/secrets.nix index 098713f..a9ee68d 100644 --- a/secrets.nix +++ b/secrets.nix @@ -16,6 +16,15 @@ */ let + /* + Returns an attrset for a given directory, + having the name of a subdirectory as its attribute names + and the contents of the containing ssh.pub file as their value + + { + clerie = "ssh-ed25519 AAAA..."; + } + */ pubkeysFor = directory: let instances = builtins.attrNames (builtins.readDir directory); instancesWithPubkey = builtins.filter (i: builtins.pathExists (directory + "/${i}/ssh.pub")) instances; @@ -25,13 +34,63 @@ let users = pubkeysFor ./users; hosts = pubkeysFor ./hosts; + /* + Returns secret configuration for a given hostname + */ secretsForHost = hostname: let + /* + Returns a list of all file names in the secrets directory of the specified host + */ secretsFiles = builtins.attrNames (builtins.readDir (./hosts + "/${hostname}/secrets")); - listOfSecrets = builtins.filter (i: (builtins.stringLength i) > 4 && builtins.substring ((builtins.stringLength i) - 4) (builtins.stringLength i) i == ".age") secretsFiles; + + /* + Returns all file names that end with .age + */ + listOfSecrets = builtins.filter (i: + # Make sure the file name is longer than the file extension + (builtins.stringLength i) > 4 + # Take the last four letters of the file name and check if it is .age + && builtins.substring ((builtins.stringLength i) - 4) (builtins.stringLength i) i == ".age" + ) secretsFiles; + in - if builtins.pathExists (./hosts + "/${hostname}/secrets") && builtins.pathExists (./hosts + "/${hostname}/ssh.pub") then - map (secret: { name = "hosts/${hostname}/secrets/${secret}"; value = { publicKeys = [ users.clerie hosts."${hostname}" ]; }; }) (listOfSecrets ++ [ "new" ]) + if + # Make sure the host has a secrets directory + builtins.pathExists (./hosts + "/${hostname}/secrets") + # Make sure the host has a public ssh key provided + && builtins.pathExists (./hosts + "/${hostname}/ssh.pub") + then + /* + This map specifies all public keys for which a given secret file should be encrypted + It returns a list of name value pairs + The name is the path to the secret file + The value is an attribute set containing a list of public keys as a string + */ + map + (secret: { + name = "hosts/${hostname}/secrets/${secret}"; + value = { + publicKeys = [ + # Hardcode clerie's public key here + users.clerie + # No other user should have access to any secrets + + # A host should only have access to their own secrets + hosts."${hostname}" + ]; + }; + }) + # All file names of already existing secrets plus the magic "new" secret + (listOfSecrets ++ [ "new" ]) else + # Answer with an empty list, if no secrets are provided for a host []; in - builtins.listToAttrs (builtins.concatMap (hostname: secretsForHost hostname) (builtins.attrNames (builtins.readDir ./hosts))) + # We just have a list of name value pairs that need to get transformed into an attribute set + builtins.listToAttrs ( + builtins.concatMap + # Provide a list of secrets for a given hostname + (hostname: secretsForHost hostname) + # Names of all hosts + (builtins.attrNames (builtins.readDir ./hosts)) + ) From 35d2b3a76c058f9ee34247f4f1f42862cce03fd7 Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 7 Dec 2023 20:18:21 +0100 Subject: [PATCH 2/4] user/criese-nethinks: refactor ssh.pub --- users/criese-nethinks/default.nix | 2 +- users/criese-nethinks/{ssh-criese.pub => ssh.pub} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename users/criese-nethinks/{ssh-criese.pub => ssh.pub} (100%) diff --git a/users/criese-nethinks/default.nix b/users/criese-nethinks/default.nix index ed4850f..2a988da 100644 --- a/users/criese-nethinks/default.nix +++ b/users/criese-nethinks/default.nix @@ -4,7 +4,7 @@ users.users.criese-nethinks = { isNormalUser = true; openssh.authorizedKeys.keys = [ - (builtins.readFile ./ssh-criese.pub) + (builtins.readFile ./ssh.pub) ]; }; } diff --git a/users/criese-nethinks/ssh-criese.pub b/users/criese-nethinks/ssh.pub similarity index 100% rename from users/criese-nethinks/ssh-criese.pub rename to users/criese-nethinks/ssh.pub From 0ea664287b8bbaebd4ccf294729986180791c57d Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 7 Dec 2023 20:21:44 +0100 Subject: [PATCH 3/4] users/isa: Move to users directory --- flake.nix | 1 + hosts/astatine/configuration.nix | 1 - hosts/astatine/isa.nix => users/isa/default.nix | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename hosts/astatine/isa.nix => users/isa/default.nix (100%) diff --git a/flake.nix b/flake.nix index 3ae7d60..7439cf5 100644 --- a/flake.nix +++ b/flake.nix @@ -38,6 +38,7 @@ group = "event"; modules = [ ./users/criese-nethinks + ./users/isa ]; }; backup-4 = { name = "backup-4"; }; diff --git a/hosts/astatine/configuration.nix b/hosts/astatine/configuration.nix index b42c453..742b73f 100644 --- a/hosts/astatine/configuration.nix +++ b/hosts/astatine/configuration.nix @@ -5,7 +5,6 @@ [ ./hardware-configuration.nix - ./isa.nix ./users.nix ]; diff --git a/hosts/astatine/isa.nix b/users/isa/default.nix similarity index 100% rename from hosts/astatine/isa.nix rename to users/isa/default.nix From 0220dbbcdd04a6b5f483481d2bc28eb27e12d180 Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 7 Dec 2023 20:23:11 +0100 Subject: [PATCH 4/4] users/isa: Refactor ssh public key --- users/isa/default.nix | 3 +-- users/isa/ssh.pub | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) create mode 100644 users/isa/ssh.pub diff --git a/users/isa/default.nix b/users/isa/default.nix index a42685f..78703fe 100644 --- a/users/isa/default.nix +++ b/users/isa/default.nix @@ -3,9 +3,8 @@ { users.users.isa = { isNormalUser = true; - extraGroups = [ "guests" ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e" + (builtins.readFile ./ssh.pub) ]; }; } diff --git a/users/isa/ssh.pub b/users/isa/ssh.pub new file mode 100644 index 0000000..22be22f --- /dev/null +++ b/users/isa/ssh.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e