-
-
Notifications
You must be signed in to change notification settings - Fork 14.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/security.gnupg: provisioning GnuPG-protected secrets through the Nix store #93659
Conversation
Interesting I was working on this: https://github.com/Mic92/sops-nix |
ac38f67
to
3d0f14e
Compare
430fed9
to
7508128
Compare
nixos/modules/security/gnupg.nix
Outdated
}; | ||
} // | ||
lib.mapAttrs' (target: secret: | ||
lib.nameValuePair (lib.removeSuffix ".service" secret.service) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So does this service starts a new gnupg daemon? Because it bind mounts /var/lib/gnupg/empty
?
Sorry for the late response, was kinda swamped. Removing myself from reviewers, since I'm personally not very keen on an approach tied to a specific "backend", but also don't want to block this PR in any way. Aside from that, without having tried it, I think this is a rather small addition easy enough to get in and can be useful enough to some people/setups with only moderate transition costs should something else come around. What I think could be important here to get more feedback is an updated documentation on the usage scenarios early on, including scenarios in which this would not work well (i.e. to aid reviewers/testers gain understanding quicker). For instance, from first glance it seems to me like this would not work with services utilizing What would be also good to check is whether this could benefit from some likely upcoming related changes in systemd and how this might change the interface (see systemd/systemd#16568). |
DynamicUser can be also supported like this: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/monitoring/prometheus/alertmanager.nix#L170 |
I've updated according to @rycee's review. Beware that I've also removed
I've also moved |
6187f80
to
b59410e
Compare
Introducing the possiblity to |
Opt-out |
Improved the documentation a little bit and fixed |
Fixed permission of |
Sorry, I forgot I had rebased a bit so Github's force-pushed link is not pretty; the diff is b3dc3af437f..58410e3735e, changelog is:
|
|
|
systemd v250 shall bring the systemd-creds utility (wrongly announced for v249 in that manpage). I'll have to actually use the new feature to be sure, but so far I'm looking forward to abandon this Some pros:
Some cons:
|
Motivation for this change
This
security.gnupg
proposal aims at granularly sending, decrypting, and installing secrets (and if need be reloading services depending on them) coming from GnuPG encrypted files put into the Nix store, by leveragingpassword-store
,gpg-agent
,systemd
andnix copy
.Thanks in advance for your feedbacks.
Features
password-store
's$PASSWORD_STORE_DIR
or any.gpg
loadable into the Nix store by any mean available.config.security.pass.secrets
).password-store
), and do not resend them unless they've changed.gpg-preset-passphrase
).RuntimeDirectory
), or persistent secrets only if theirpostStop
is configured to do so.secret-${secret}.service
per entry inconfig.security.gnupg.secrets
allow fine grainedpostStart
,after
,wants
, orrequires
).pipe
).extraBuiltins.exec
callingpass
and/ornixops send-keys
.gnupg
user instead ofroot
to rungpg-agent
.config.security.gnupg.agent.sendKeys
) to send throughssh
a decrypting key and its password togpg-agent
.TODO
nixos/tests/
.Inconvenients
apparmor
(for which I happen to be proposing the PR apparmor: fix and improve the service #93457 ).Example
First just rebuild your configuration without configuring secrets, just to enable
gpg-agent.service
, using:Then make sure secrets are (re)encrypted to the right OpenPGP recipients (eg.
[email protected]
's key):Now configure and use some secret (eg.
pass hosts/foo/transmission/settings.json
) :Without a
flake.nix
From there you can use
<nixpkgs/nixos>
as usual, interleaving a call tosendKeys
:Logged in as
[email protected]
, you can then list the systemd units responsible to install those secrets with:and check the ones decrypted on the default destination, like so:
With a
flake.nix
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)