Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce secrets declarations in-tree with pre-activation setup using string paths #24

Open
Frontear opened this issue Dec 3, 2024 · 1 comment
Open

Introduce secrets declarations in-tree with pre-activation setup using string paths #24

Frontear opened this issue Dec 3, 2024 · 1 comment
Labels
compat: backwards Represents a backwards compatible change. Existing functionality is wholly unaffected by changes. priority: low Non-essential issues that are neither affecting functionality nor usability. type: feature/addition Marks the request/implementation of a feature addition. Accompany with relevant labels.

Comments

@Frontear
Copy link
Owner

Frontear commented Dec 3, 2024
edited
Loading

Forgive me for the lack of an exhaustive description at the moment. Instead, I'll present a simplified step-by-step use case, which has not been fully fleshed out but serves as a good enough basic understanding.

  1. We declare our service via its module and expose a secret file as a path string (NOT A NIX PATH EXPRESSION)
{ config, lib, pkgs, ... }: {
  my.service = {
    enable = true;
    settings = { ... };

    privKey = "/run/secrets/my-key-path";
  };
}
  1. During rebuild or pre-activation, we perform a copy from ${repo-root}/secrets/my-key-path/keyfile to /run/secrets/my-key-path.
#!/usr/bin/env bash

if [ ! -e "/run/secrets/$path" ] && [ -e "$repo/secrets/$path" ]; then
  mkdir -p "/run/secrets/$path"
  cp --archive --target "/run/secrets/$path" "$repo/secrets/$path"
fi
  1. Allow standard NixOS activation to proceed.

I'm not too sure how useful https://github.com/Mic92/sops-nix or https://github.com/ryantm/agenix will be for this as I'm unfamiliar with how they work. If neither is applicable I think https://github.com/AGWA/git-crypt is completely fine alongside some sort of pre-activation or post-rebuild injection. Injecting our code into post-rebuild seems a lot easier since we manage it directly via our devshell.
@Frontear Frontear added priority: low Non-essential issues that are neither affecting functionality nor usability. type: feature/addition Marks the request/implementation of a feature addition. Accompany with relevant labels. compat: backwards Represents a backwards compatible change. Existing functionality is wholly unaffected by changes. labels Dec 3, 2024
@Frontear
Copy link
Owner Author

Frontear commented Dec 7, 2024
edited
Loading

One thing I just realized that needs to be taken into consideration is the fact that flakes are copied into the /nix/store. Would this not be a problem for any secrets stored in-tree, since they would be copied and thus world-readable?

EDIT: As a completely asinine idea, what if we enforced extremely strict permissions onto the /nix/store? Using some extreme ACLs we could prevent the store from having r-x except for trusted users and root. All others have no permissions whatsoever, which will completely prevent secrets leakage in extremely niche cases (one trusted user only).

Probably not a good idea overall honestly. These permissions could break the usability of services which use paths in the store directly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
compat: backwards Represents a backwards compatible change. Existing functionality is wholly unaffected by changes. priority: low Non-essential issues that are neither affecting functionality nor usability. type: feature/addition Marks the request/implementation of a feature addition. Accompany with relevant labels.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Frontear