diff --git a/checks/secrets/default.nix b/checks/secrets/default.nix index c6b1a8b2..8f050bf7 100644 --- a/checks/secrets/default.nix +++ b/checks/secrets/default.nix @@ -5,13 +5,17 @@ imports = [ (self.nixosModules.clanCore) ]; - environment.etc."secret".source = config.sops.secrets.foo.path; + environment.etc."secret".source = config.sops.secrets.secret.path; + environment.etc."group-secret".source = config.sops.secrets.group-secret.path; sops.age.keyFile = ./key.age; + clanCore.clanDir = "${./.}"; clanCore.machineName = "machine"; + networking.hostName = "machine"; }; testScript = '' machine.succeed("cat /etc/secret >&2") + machine.succeed("cat /etc/group-secret >&2") ''; } diff --git a/checks/secrets/sops/secrets/foo/machines/machine b/checks/secrets/sops/groups/group/machines/machine similarity index 100% rename from checks/secrets/sops/secrets/foo/machines/machine rename to checks/secrets/sops/groups/group/machines/machine diff --git a/checks/secrets/sops/secrets/group-secret/groups/group b/checks/secrets/sops/secrets/group-secret/groups/group new file mode 120000 index 00000000..ad3ef6ea --- /dev/null +++ b/checks/secrets/sops/secrets/group-secret/groups/group @@ -0,0 +1 @@ +../../../groups/group \ No newline at end of file diff --git a/checks/secrets/sops/secrets/group-secret/secret b/checks/secrets/sops/secrets/group-secret/secret new file mode 100644 index 00000000..fc575a97 --- /dev/null +++ b/checks/secrets/sops/secrets/group-secret/secret @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:FgF3,iv:QBbnqZ6405qmwGKhbolPr9iobngXt8rtfUwCBOnmwRA=,tag:7gqI1zLVnTkZ0xrNn/LEkA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age15x8u838dwqflr3t6csf4tlghxm4tx77y379ncqxav7y2n8qp7yzqgrwt00", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArMHcxKzhUZzNHQmQrb28x\nRC9UMlZMeDN3S1l1eHdUWmV4VUVReHhhQ0RnCjAyUXVlY1FmclVmL2lEdFZuTmll\nVENpa3AwbjlDck5zdGdHUTRnNEdEOUkKLS0tIER3ZlNMSVFnRElkRDcxajZnVmFl\nZThyYzcvYUUvaWJYUmlwQ3dsSDdjSjgK+tj34yBzrsIjm6V+T9wTgz5FdNGOR7I/\nVB4fh8meW0vi/PCK/rajC8NbqmK8qq/lwsF/JwfZKDSdG0FOJUB1AA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-09-03T12:44:56Z", + "mac": "ENC[AES256_GCM,data:d5a0WfE5ZRLKF1NZkBfOl+cVI8ZZHd2rC+qX/giALjyrzk09rLxBeY4lO827GFfMmVy/oC7ceH9pjv2O7ibUiQtcbGIQVBg/WP+dVn8fRMWtF0jpv9BhYTutkVk3kiddqPGhp3mpwvls2ot5jtCRczTPk3JSxN3B1JSJCmj9GfQ=,iv:YmlkTYFNUaFRWozO8+OpEVKaSQmh+N9zpatwUNMPNyw=,tag:mEGQ4tdo82qlhKWalQuufg==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/checks/secrets/sops/secrets/secret/machines/machine b/checks/secrets/sops/secrets/secret/machines/machine new file mode 120000 index 00000000..4cef1e1f --- /dev/null +++ b/checks/secrets/sops/secrets/secret/machines/machine @@ -0,0 +1 @@ +../../../machines/machine \ No newline at end of file diff --git a/checks/secrets/sops/secrets/foo/secret b/checks/secrets/sops/secrets/secret/secret similarity index 100% rename from checks/secrets/sops/secrets/foo/secret rename to checks/secrets/sops/secrets/secret/secret diff --git a/checks/secrets/sops/secrets/foo/users/admin b/checks/secrets/sops/secrets/secret/users/admin similarity index 100% rename from checks/secrets/sops/secrets/foo/users/admin rename to checks/secrets/sops/secrets/secret/users/admin diff --git a/nixosModules/clanCore/secrets/sops.nix b/nixosModules/clanCore/secrets/sops.nix index fb06c393..ab977228 100644 --- a/nixosModules/clanCore/secrets/sops.nix +++ b/nixosModules/clanCore/secrets/sops.nix @@ -1,4 +1,25 @@ { config, lib, pkgs, ... }: +let + secretsDir = config.clanCore.clanDir + "/sops/secrets"; + groupsDir = config.clanCore.clanDir + "/sops/groups"; + + # My symlink is in the nixos module detected as a directory also it works in the repl. Is this because of pure evaluation? + containsSymlink = path: + builtins.pathExists path && (builtins.readFileType path == "directory" || builtins.readFileType path == "symlink"); + + containsMachine = parent: name: type: + type == "directory" && containsSymlink "${parent}/${name}/machines/${config.clanCore.machineName}"; + + containsMachineOrGroups = name: type: + (containsMachine secretsDir name type) || lib.any (group: type == "directory" && containsSymlink "${secretsDir}/${name}/groups/${group}") groups; + + filterDir = filter: dir: + lib.optionalAttrs (builtins.pathExists dir) + (lib.filterAttrs filter (builtins.readDir dir)); + + groups = builtins.attrNames (filterDir (containsMachine groupsDir) groupsDir); + secrets = filterDir containsMachineOrGroups secretsDir; +in { config = { system.clan.generateSecrets = pkgs.writeScript "generate-secrets" '' @@ -43,26 +64,12 @@ fi) '') "" config.clanCore.secrets} ''; - sops.secrets = - let - secretsDir = config.clanCore.clanDir + "/sops/secrets"; - encryptedForThisMachine = name: type: - let - symlink = "${secretsDir}/${name}/machines/${config.clanCore.machineName}"; - in - # WTF, nix bug, my symlink is in the nixos module detected as a directory also it works in the repl - type == "directory" && builtins.pathExists symlink && (builtins.readFileType symlink == "directory" || builtins.readFileType symlink == "symlink"); - secrets = - if !(builtins.pathExists secretsDir) - then { } - else lib.filterAttrs encryptedForThisMachine (builtins.readDir secretsDir); - in - builtins.mapAttrs - (name: _: { - sopsFile = config.clanCore.clanDir + "/sops/secrets/${name}/secret"; - format = "binary"; - }) - secrets; + sops.secrets = builtins.mapAttrs + (name: _: { + sopsFile = config.clanCore.clanDir + "/sops/secrets/${name}/secret"; + format = "binary"; + }) + secrets; # To get proper error messages about missing secrets we need a dummy secret file that is always present sops.defaultSopsFile = lib.mkIf config.sops.validateSopsFiles (lib.mkDefault (builtins.toString (pkgs.writeText "dummy.yaml" ""))); };