feat(modules): Add host-info and secrets as nixosModules

MartinNikov · MartinNikov · commit b9bb389785de · 2024-04-18T17:50:25.000+03:00
diff --git a/flake.nix b/flake.nix
@@ -203,6 +203,8 @@
         ./modules/tailscale-autoconnect
         ./modules/grafana-agent-flow
         ./modules/pyroscope
+        ./modules/secrets.nix
+        ./modules/host-info.nix
         ./packages
       ];
       systems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"];
diff --git a/modules/host-info.nix b/modules/host-info.nix
@@ -1,50 +1,67 @@
-{
-  config,
-  lib,
-  ...
-}: {
-  options.mcl.host-info = with lib; {
-    type = mkOption {
-      type = types.nullOr (types.enum ["desktop" "server"]);
-      default = null;
-      example = ["desktop"];
-      description = ''
-        Whether this host is a desktop or a server.
-      '';
-    };
+{withSystem, ...}: {
+  flake.nixosModules.mcl-host-info = {
+    config,
+    lib,
+    dirs,
+    ...
+  }: {
+    options.mcl.host-info = with lib; {
+      type = mkOption {
+        type = types.nullOr (types.enum ["desktop" "server" "container"]);
+        default = null;
+        example = ["desktop"];
+        description = ''
+          Whether this host is a desktop or a server.
+        '';
+      };
 
-    isVM = mkOption {
-      type = types.nullOr types.bool;
-      default = null;
-      example = ["false"];
-      description = ''
-        Whether this configuration is a VM variant.
-      '';
-    };
+      isDebugVM = mkOption {
+        type = types.nullOr types.bool;
+        default = null;
+        example = ["false"];
+        description = ''
+          Whether this configuration is a VM variant with extra debug
+          functionality.
+        '';
+      };
+
+      configPath = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        example = ["machines/server/solunska-server"];
+        description = ''
+          The configuration path for this host relative to the repo root.
+        '';
+      };
 
-    configPath = mkOption {
-      type = types.nullOr types.string;
-      default = null;
-      example = ["machines/server/solunska-server"];
-      description = ''
-        The configuration path for this host relative to the repo root.
-      '';
+      sshKey = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        example = "ssh-ed25519 AAAAC3Nza";
+        description = ''
+          The public ssh key for this host.
+        '';
+      };
+    };
+    config = {
+      assertions = [
+        {
+          assertion = config.mcl.host-info.type != null;
+          message = "mcl.host-info.type must be defined for every host";
+        }
+        {
+          assertion = config.mcl.host-info.isDebugVM != null;
+          message = "mcl.host-info.isDebugVM must be defined for every host";
+        }
+        {
+          assertion = config.mcl.host-info.configPath != null;
+          message = "mcl.host-info.configPath must be defined for every host";
+        }
+        {
+          assertion = config.mcl.host-info.sshKey != null;
+          message = "mcl.host-info.sshKey must be defined for every host";
+        }
+      ];
     };
-  };
-  config = {
-    assertions = [
-      {
-        assertion = config.mcl.host-info.type != null;
-        message = "mcl.host-info.type must be defined for every host";
-      }
-      {
-        assertion = config.mcl.host-info.isVM != null;
-        message = "mcl.host-info.isVM must be defined for every host";
-      }
-      {
-        assertion = config.mcl.host-info.configPath != null;
-        message = "mcl.host-info.configPath must be defined for every host";
-      }
-    ];
   };
 }
diff --git a/modules/secrets.nix b/modules/secrets.nix
@@ -0,0 +1,116 @@
+{withSystem, ...}: {
+  flake.nixosModules.mcl-secrets = {
+    config,
+    options,
+    lib,
+    dirs,
+    mcl-modules,
+    ...
+  }: let
+    eachServiceCfg = config.mcl.secrets.services;
+    isDebugVM = config.mcl.host-info.isDebugVM;
+
+    sshKey = config.mcl.host-info.sshKey;
+
+    ageSecretOpts =
+      builtins.head
+      (builtins.head
+        options.age.secrets.type.nestedTypes.elemType.getSubModules)
+      .imports;
+
+    secretDir = let
+      machineConfigPath = config.mcl.host-info.configPath;
+      machineSecretDir = machineConfigPath + "/secrets";
+      vmConfig = dirs.modules + "/default-vm-config";
+      vmSecretDir = vmConfig + "/secrets";
+    in
+      if isDebugVM
+      then vmSecretDir
+      else machineSecretDir;
+  in {
+    options.mcl.secrets = with lib; {
+      services = mkOption {
+        type = types.attrsOf (types.submodule ({config, ...}: let
+          serviceName = config._module.args.name;
+        in {
+          options = {
+            encryptedSecretDir = mkOption {
+              type = types.path;
+              default = secretDir;
+            };
+            secrets = mkOption {
+              default = {};
+              type = types.attrsOf (types.submoduleWith {
+                modules = [
+                  ageSecretOpts
+                  ({name, ...}: let
+                    secretName = name;
+                  in {
+                    config = {
+                      name = "${serviceName}/${secretName}";
+                      file =
+                        lib.mkDefault (config.encryptedSecretDir + "/${serviceName}/${secretName}.age");
+                    };
+                  })
+                ];
+              });
+            };
+            extraGroups = mkOption {
+              type = types.listOf types.str;
+              default = [];
+              example = ["devops" "secretsAccess"];
+              description = "Groups which have access to decrypt the secrets.";
+            };
+            extraKeys = mkOption {
+              type = types.listOf types.str;
+              default = [];
+              example = ["ssh-ed25519 AAAAC3Nza" "ssh-ed25519 AAAACSNss"];
+              description = "Groups which have access to decrypt the secrets.";
+            };
+            nix-file = mkOption {
+              default =
+                if (pathIsRegularFile (config.encryptedSecretDir + "/${serviceName}/secrets.nix"))
+                then config.encryptedSecretDir + "/${serviceName}/secrets.nix"
+                else
+                  builtins.toFile "${serviceName}-secrets.nix" ''
+                    let
+                      hostKey = ["${sshKey}"];
+                      groupsKeys = ["${concatStringsSep "\"\"" (mcl-modules.libs.utils.allUserKeysForGroup config.extraGroups)}"];
+                      extraKeys = ["${concatStringsSep "\"\"" config.extraKeys}"];
+                    in {
+                      ${concatMapStringsSep "\n"
+                      (n: "\"${n}\".publicKeys = hostKey ++ groupKeys ++ extraKeys;")
+                      (builtins.attrNames config.secrets)}
+                    }
+                  '';
+              type = types.path;
+            };
+          };
+        }));
+        default = {};
+        example = {
+          service1.secrets.secretA = {};
+          service1.secrets.secretB = {};
+          service2.secrets.secretC = {};
+          cachix-deploy.secrets.token = {
+            path = "/etc/cachix-agent.token";
+          };
+        };
+        description = mdDoc "Per-service attrset of encryptedSecretDir and secrets";
+      };
+    };
+
+    config = lib.mkIf (eachServiceCfg != {}) {
+      age.secrets = lib.pipe eachServiceCfg [
+        (lib.mapAttrsToList (serviceName: service:
+          lib.mapAttrsToList (
+            secretName: config:
+              lib.nameValuePair "${serviceName}/${secretName}" config
+          )
+          service.secrets))
+        lib.concatLists
+        lib.listToAttrs
+      ];
+    };
+  };
+}
