Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add secrets change detection #132

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add secrets change detection #132

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6574427
modules/age: add indentation
erikarvstedt Jan 9, 2023
69e4bfb
modules/age: add secrets change detection
erikarvstedt Jan 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 49 additions & 17 deletions modules/age.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,21 @@ let
users = config.users.users;

newGeneration = ''
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
(( ++_agenix_generation ))
echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
mkdir -p "${cfg.secretsMountPoint}"
chmod 0751 "${cfg.secretsMountPoint}"
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
_agenix_last_generation=$(basename "$(readlink ${cfg.secretsDir})" || true)
if [[ $_agenix_last_generation == ${secretsHash} ]]; then
_agenix_is_current=1
else
_agenix_is_current=
fi
if [[ ! $_agenix_is_current ]]; then
_agenix_generation="${secretsHash}"
echo "[agenix] creating new generation in ${cfg.secretsMountPoint}/$_agenix_generation"
mkdir -p "${cfg.secretsMountPoint}"
chmod 0751 "${cfg.secretsMountPoint}"
grep -q "${cfg.secretsMountPoint} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsMountPoint}" -o nodev,nosuid,mode=0751
mkdir -p "${cfg.secretsMountPoint}/$_agenix_generation"
chmod 0751 "${cfg.secretsMountPoint}/$_agenix_generation"
fi
'';

identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.identityPaths);
Expand Down Expand Up @@ -59,23 +66,30 @@ let
test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
'') cfg.identityPaths;

# Add suffix `-incomplete` to the generation when creating some secrets has failed.
# This ensures that we can try to re-create the generation on subsequent runs.
renameOnFailure = ''
if (( _localstatus > 0 )); then
mv "${cfg.secretsMountPoint}/$_agenix_generation"{,-incomplete}
_agenix_generation+=-incomplete
fi
Comment on lines +72 to +75
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this about? Maybe worth a comment in the code.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent, makes sense. I still don't understand where _localstatus comes from or under what conditions it's valid, but maybe my google-fu isn't good enough to find the bash documentation for it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

_localstatus is defined here.

'';

cleanupAndLink = ''
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
(( ++_agenix_generation ))
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}

(( _agenix_generation > 1 )) && {
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
rm -rf "${cfg.secretsMountPoint}/$(( _agenix_generation - 1 ))"
[[ $_agenix_last_generation ]] && {
echo "[agenix] removing old secrets (generation $_agenix_last_generation)..."
rm -rf "${cfg.secretsMountPoint}/$_agenix_last_generation"
}
'';

installSecrets = builtins.concatStringsSep "\n" (
installSecrets = mkInstallScript (
[ "echo '[agenix] decrypting secrets...'" ]
++ testIdentities
++ (map installSecret (builtins.attrValues cfg.secrets))
++ [ cleanupAndLink ]
++ [ renameOnFailure cleanupAndLink ]
);

chownSecret = secretType: ''
Expand All @@ -89,11 +103,23 @@ let
chown :keys "${cfg.secretsMountPoint}" "${cfg.secretsMountPoint}/$_agenix_generation"
'';

chownSecrets = builtins.concatStringsSep "\n" (
chownSecrets = mkInstallScript (
[ "echo '[agenix] chowning...'" ]
++ [ chownMountPoint ]
++ (map chownSecret (builtins.attrValues cfg.secrets)));

mkInstallScript = strings: ''
[[ $_agenix_is_current ]] || {
${builtins.concatStringsSep "\n" strings}
}
'';

secretsHash = let
sha256-base16 = builtins.hashString "sha256" (builtins.toJSON cfg.secrets);
in
# Truncate to 128 bits to increase readability
substring 0 32 sha256-base16;

secretType = types.submodule ({ config, ... }: {
options = {
name = mkOption {
Expand All @@ -104,7 +130,13 @@ let
'';
};
file = mkOption {
type = types.path;
type = mkOptionType {
name = "nix-path";
descriptionClass = "noun";
check = builtins.isPath;
merge = mergeEqualOption;
};

Comment on lines +133 to +139
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
type = mkOptionType {
name = "nix-path";
descriptionClass = "noun";
check = builtins.isPath;
merge = mergeEqualOption;
};
type = types.package;

Does this work? See https://github.com/NixOS/nixpkgs/blob/master/lib/types.nix#L464-L473

Copy link
Contributor Author

@erikarvstedt erikarvstedt Jan 10, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, because at the moment the value is typechecked, it's not yet a store path but a mere path (like /my/repo/secrets/foo.nix).

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, yes. builtins.toString /my/repo/secrets/foo.nix yields "/my/repo/secrets/foo.nix" not the store path where it'll get stored.

description = ''
Age file the secret is loaded from.
'';
Expand Down