add deterministic passwords! woo!

2022-10-02 14:07:23 -05:00 · 2022-10-02 14:07:23 -05:00 · 464d7b2497
commit 464d7b2497
parent cfb3dbec84
1 changed files with 83 additions and 0 deletions
--- a/common/deterministic-passwords.nix
+++ b/common/deterministic-passwords.nix
@ -0,0 +1,83 @@
+{pkgs, lib, config, ...}:
+with lib;
+with builtins;
+with import <cascade/functions>;
+
+{
+options = {
+  environment.deterministic-passwords = mkOption {
+    type = with types; attrsOf (submodule ({config, name, ...}@args: {
+      options = {
+        enabled = mkEnableOption "password writer for ${name}" // {default = true;};
+
+        destination = mkOption {
+          type = str;
+          description = ''Where to save the secret'';
+        };
+
+        group = mkOption {
+            type = str;
+            description = "Group that will own the secret.";
+            default = "root";
+        };
+        
+        user = mkOption {
+            type = str;
+            description = "User who will own the secret.";
+            default = "root";
+        };
+
+        mode = mkOption {
+          default = "0400";
+          type = str;
+          description = "Target file mode (octal)";
+        };
+
+        action = mkOption {
+          default = [];
+          type = listOf str;
+          description = "Action to perform on the remote host when the secret changes";
+        };
+      };
+    }));
+  };
+};
+
+config = 
+let shq = escapeShellArg;
+    makeUpdateScript = n: {enabled, destination, group, user, mode, action}@opts: ''
+      (
+      umask 0777
+      ACTION=${shq (join-string "\n" action)}
+      ${pkgs.util-linux}/bin/uuidgen -s -n $(cat /etc/cascade/host-secret.uuid) -N ${shq n} > ${shq destination}
+      chown ${shq user}:${shq group} ${shq destination}
+      chmod ${shq mode} ${shq destination}
+      ${pkgs.bash}/bin/bash -c "$ACTION"
+      )
+    '';
+    secretToPath = n: {enabled, destination, group, user, mode, action}@opts: mkIf (enabled) { 
+      wantedBy = [ "multi-user.target" ];
+      pathConfig = {
+        PathChanged = "/etc/cascade/host-secret.uuid";
+      };
+      after = [ "network-online.target" ];
+    };
+    secretToService = n: {enabled, destination, group, user, mode, action}@opts: mkIf (enabled) { 
+      serviceConfig.Type = "oneshot";
+      script = makeUpdateScript n opts;
+    };
+    secretToActivationScript = n: {enabled, destination, group, user, mode, action}@opts: { 
+      text = mkMerge [
+        (mkIf   enabled  (makeUpdateScript n opts))
+	(mkIf (!enabled) ''rm -f ${shq destination}'')
+      ];
+    };
+in
+{
+  systemd.paths = mapAttrs' (n: v: nameValuePair "deterministic-password-${n}" (secretToPath n v)) config.environment.deterministic-passwords;
+  systemd.services = mapAttrs' (n: v: nameValuePair "deterministic-password-${n}" (secretToService n v)) config.environment.deterministic-passwords;
+  system.activationScripts = mapAttrs' (n: v: nameValuePair "deterministic-password-${n}-refresh" (secretToActivationScript n v)) config.environment.deterministic-passwords;
+  environment.deterministic-passwords = mkDefault {};
+};
+
+}