-
Notifications
You must be signed in to change notification settings - Fork 0
/
secret.nix
74 lines (67 loc) · 2.56 KB
/
secret.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
{ config, pkgs, lib, ... }: with lib; let
in {
mkServices = tokenName: secretName: let
cfg = config.turnkey.tokens.${tokenName}.secrets.${secretName};
mount = if cfg ? mount then cfg.mount else tokenName;
user = if cfg ? user then cfg.user else tokenName;
group = if cfg ? group then cfg.group else tokenName;
tokenPath = "/run/keys/${tokenName}.token";
mountPath = "/run/keys/${mount}";
secretPath = "${mountPath}/${secretName}.secret";
vaultSecretPath = "${mount}/${secretName}";
token = "$(cat ${tokenPath})";
mkActualSecret = field: linkPath: ''
vault kv get -field=${field} ${mount}/${secretName} > /run/keys/${mount}/${secretName}/${field}.secret
rm -f ${linkPath}
ln -s /run/keys/${mount}/${secretName}/${field}.secret ${linkPath}
chmod 0600 /run/keys/${mount}/${secretName}/${field}.secret
chown ${user}:${group} /run/keys/${mount}/${secretName}/${field}.secret
'';
getSecretFields = concatLines (attrValues (mapAttrs mkActualSecret cfg.fields));
in {
"turnkey-${tokenName}-${secretName}-secret" = {
enable = true;
description = "Emerald City Turnkey Secret: ${secretName}";
after = [ "turnkey-${tokenName}-token.service" ];
wantedBy = [ "turnkey-${tokenName}-token.service" ];
requires = [ "turnkey-${tokenName}-token.service" ];
path = [ pkgs.vault-bin pkgs.util-linux pkgs.jq ];
environment.VAULT_ADDR = "https://vault.emerald.city:8200";
serviceConfig = {
User = "root";
Group = "root";
Type = "simple";
RemainAfterExit = "yes";
ExecStop = pkgs.writeShellScript "turnkey-${tokenName}-${secretName}-acquire.sh" ''
rm -r ${mountPath}/${secretName}
'';
ExecStart = pkgs.writeShellScript "turnkey-${tokenName}-${secretName}-acquire.sh" ''
flock -s ${tokenPath} -c "{
vault login token=${token}
mkdir -p ${mountPath}
${getSecretFields}
}"
echo "Secret acquired, entering monitoring loop."
while true ; do
flock -s ${secretPath} -c "{
# If the secret has been removed, we need to exit
[ -e ${secretPath} ] && exit 1
# If the secret has gone empty, we need to fail.
[ -z $(cat ${secretPath}) ] && exit 2
}"
echo "Token still fresh"
sleep 15;
done
'';
};
};
/*
"${secretName}-renew" = {
};
"${secretName}-refresh" = {
};
*/
};
mkTimers = secretCfg: tokenName: { }: {
};
}