feat: repo-local secrets implemented for yubikey

2025-12-06 09:07:21 +01:00 · 2025-06-11 04:01:07 +02:00 · 2025-06-11 04:01:07 +02:00 · 85cbd5e1f6
commit 85cbd5e1f6
parent 609bb1597f
11 changed files with 230 additions and 60 deletions
--- a/modules/nixos/common/pii.nix
+++ b/modules/nixos/common/pii.nix
@ -0,0 +1,72 @@
+{ config, inputs, lib, ... }:
+let
+
+  # If the given expression is a bare set, it will be wrapped in a function,
+  # so that the imported file can always be applied to the inputs, similar to
+  # how modules can be functions or sets.
+  constSet = x: if builtins.isAttrs x then (_: x) else x;
+
+  # Try to access the extra builtin we loaded via nix-plugins.
+  # Throw an error if that doesn't exist.
+  sopsImportEncrypted =
+    assert lib.assertMsg (builtins ? extraBuiltins.sopsImportEncrypted)
+      "The extra builtin 'sopsImportEncrypted' is not available, so repo.secrets cannot be decrypted. Did you forget to add nix-plugins and point it to `<flakeRoot>/nix/extra-builtins.nix` ?";
+    builtins.extraBuiltins.sopsImportEncrypted;
+
+  # This "imports" an encrypted .nix.age file by evaluating the decrypted content.
+  importEncrypted =
+    path:
+    constSet (
+      if builtins.pathExists path then
+        sopsImportEncrypted path
+      else
+        { }
+    );
+in
+{
+  options = {
+    repo = {
+      secretFiles = lib.mkOption {
+        default = { };
+        type = lib.types.attrsOf lib.types.path;
+        example = lib.literalExpression "{ local = ./pii.nix.enc; }";
+        description = ''
+          This file manages the origin for this machine's repository-secrets. Anything that is
+          technically not a secret in the classical sense (i.e. that it has to be protected
+          after it has been deployed), but something you want to keep secret from the public;
+          Anything that you wouldn't want people to see on GitHub, but that can live unencrypted
+          on your own devices. Consider it a more ergonomic nix alternative to using git-crypt.
+
+          All of these secrets may (and probably will be) put into the world-readable nix-store
+          on the build and target hosts. You'll most likely want to store personally identifiable
+          information here, such as:
+            - MAC Addreses
+            - Static IP addresses
+            - Your full name (when configuring your users)
+            - Your postal address (when configuring e.g. home-assistant)
+            - ...
+
+          Each path given here must be an sops-encrypted .nix file. For each attribute `<name>`,
+          the corresponding file will be decrypted, imported and exposed as {option}`repo.secrets.<name>`.
+        '';
+      };
+
+      secrets = lib.mkOption {
+        readOnly = true;
+        default = lib.mapAttrs (_: x: importEncrypted x inputs) config.repo.secretFiles;
+        type = lib.types.unspecified;
+        description = "Exposes the loaded repo secrets. This option is read-only.";
+      };
+    };
+    swarselsystems.modules.pii = lib.mkEnableOption "enable pii management";
+  };
+  config = lib.mkIf config.swarselsystems.modules.pii {
+    repo.secretFiles =
+      let
+        local = config.node.secretsDir + "/pii.nix.enc";
+      in
+      (lib.optionalAttrs (lib.pathExists local) { inherit local; }) // {
+        common = ../../../secrets/repo/pii.nix.enc;
+      };
+  };
+}