-
Notifications
You must be signed in to change notification settings - Fork 0
/
turnkey.nix
93 lines (78 loc) · 3.2 KB
/
turnkey.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
{ config, pkgs, lib, ...}: with lib; let
mkDescription = component: "Emerald City Turnkey Service: ${component}";
roleIDPath = "/run/keys/role-id";
secretIDPath = "/run/keys/secret-id";
rootTokenPath = "/run/keys/root.token";
tokenPath = tokenName: "/run/keys/${tokenName}.token";
root = (import ./rootToken.nix)({ inherit pkgs rootTokenPath mkDescription roleIDPath secretIDPath; });
token = (import ./token.nix)({ inherit pkgs lib rootTokenPath tokenPath; });
secret = (import ./secret.nix)({ inherit config pkgs lib; });
in {
options.turnkey = with types; {
enable = mkEnableOption "Enable Turnkey";
appRole = mkOption {
description = "The name of the approle to use, usually the hostname of the machine";
type = str;
};
period = mkOption {
description = "The renewal period to apply to the root token";
default = "3m";
type = str;
};
tokens = mkOption {
type = attrsOf (
submodule {
options = {
user = mkOption {
description = "user who will own the token, defaults to name of token";
type = nullOr str;
};
group = mkOption {
description = "group who will own the token defaults to name of token";
type = nullOr str;
};
ttl = mkOption {
description = "How long before renewing the token";
type = str;
};
policies = mkOption { description = "list of policies for the token"; type = listOf str; };
secrets = mkOption {
type = attrsOf (
submodule {
options = {
targetPath = mkOption { type = str; };
mount = mkOption { type = nullOr str; default = null; };
user = mkOption { type = str; };
group = mkOption { type = str; };
mode = mkOption { type = str; default = "0600"; };
fields = mkOption { type = attrs; default = { data = "/dev/null"; }; };
};
});
};
};
});
};
};
config = let
tokenNames = attrNames config.turnkey.tokens;
secretNamesFor = token: attrNames config.turnkey.tokens.${token}.secrets;
dbg = x: trace x x;
tokenServices = map (token.mkServices config.turnkey.tokens) tokenNames;
tokenTimers = map token.mkTimers tokenNames;
secretServices = concatMap (token: map (secret.mkServices token) (secretNamesFor token)) tokenNames;
secretTimers = []; # map (token: map (secret token).mkTimers (secretNamesFor token)) tokenNames;
in {
systemd = {
targets.turnkey = {
enable = true;
description = mkDescription "Post-unlock target";
requires = [ "multi-user.target" ];
unitConfig.AllowIsolate = true;
};
services = mkMerge (tokenServices ++ secretServices
++ [ root.mkService root.mkUnlockOneshot ]);
timers = mkMerge ( tokenTimers ++ secretTimers
++ [ root.mkTimer ]);
};
};
}