cascade/CASCADE
5
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add deterministic passwords! woo!

Browse Source
This commit is contained in:
James Andariese 2022-10-02 14:07:23 -05:00
parent cfb3dbec84
commit 464d7b2497
1 changed files with 83 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
common/deterministic-passwords.nix Normal file
View File

@ -0,0 +1,83 @@
{pkgs, lib, config, ...}:
with lib;
with builtins;
with import <cascade/functions>;
{
options = {
environment.deterministic-passwords = mkOption {
type = with types; attrsOf (submodule ({config, name, ...}@args: {
options = {
enabled = mkEnableOption "password writer for ${name}" // {default = true;};
destination = mkOption {
type = str;
description = ''Where to save the secret'';
};
group = mkOption {
type = str;
description = "Group that will own the secret.";
default = "root";
};
user = mkOption {
type = str;
description = "User who will own the secret.";
default = "root";
};
mode = mkOption {
default = "0400";
type = str;
description = "Target file mode (octal)";
};
action = mkOption {
default = [];
type = listOf str;
description = "Action to perform on the remote host when the secret changes";
};
};
}));
};
};
config =
let shq = escapeShellArg;
makeUpdateScript = n: {enabled, destination, group, user, mode, action}@opts: ''
(
umask 0777
ACTION=${shq (join-string "\n" action)}
${pkgs.util-linux}/bin/uuidgen -s -n $(cat /etc/cascade/host-secret.uuid) -N ${shq n} > ${shq destination}
chown ${shq user}:${shq group} ${shq destination}
chmod ${shq mode} ${shq destination}
${pkgs.bash}/bin/bash -c "$ACTION"
)
'';
secretToPath = n: {enabled, destination, group, user, mode, action}@opts: mkIf (enabled) {
wantedBy = [ "multi-user.target" ];
pathConfig = {
PathChanged = "/etc/cascade/host-secret.uuid";
};
after = [ "network-online.target" ];
};
secretToService = n: {enabled, destination, group, user, mode, action}@opts: mkIf (enabled) {
serviceConfig.Type = "oneshot";
script = makeUpdateScript n opts;
};
secretToActivationScript = n: {enabled, destination, group, user, mode, action}@opts: {
text = mkMerge [
(mkIf enabled (makeUpdateScript n opts))
(mkIf (!enabled) ''rm -f ${shq destination}'')
];
};
in
{
systemd.paths = mapAttrs' (n: v: nameValuePair "deterministic-password-${n}" (secretToPath n v)) config.environment.deterministic-passwords;
systemd.services = mapAttrs' (n: v: nameValuePair "deterministic-password-${n}" (secretToService n v)) config.environment.deterministic-passwords;
system.activationScripts = mapAttrs' (n: v: nameValuePair "deterministic-password-${n}-refresh" (secretToActivationScript n v)) config.environment.deterministic-passwords;
environment.deterministic-passwords = mkDefault {};
};
}