infra/common/secrets-permissions.nix

37 lines
886 B
Nix
Raw Normal View History

2024-05-28 17:56:03 +00:00
# This module enforces permissions on secrets stored on the machines.
{ config, lib, ... }:
2024-05-28 17:56:03 +00:00
with lib;
let
cfg = config.custom.secrets;
in
2024-05-28 17:56:03 +00:00
{
options.custom.secrets = {
extraCommands = mkOption {
default = "";
type = types.lines;
description = lib.mdDoc "extra commands to populate /etc/secrets";
};
};
2024-05-28 17:56:03 +00:00
config = {
system.activationScripts."secrets-permissions" = ''
# Default to restrictive permissions on secrets.
# Root can alway read/write/traverse directories no matter the permissions
# set.
mkdir -p /etc/secrets
2024-05-28 17:56:03 +00:00
chown --recursive root:root /etc/secrets
chmod --recursive 600 /etc/secrets
2024-05-28 17:56:03 +00:00
# Relax permissions on some secrets.
2024-05-28 17:56:03 +00:00
# The top directory must be readable and traversable by thoses who need to
# access secrets.
chmod 755 /etc/secrets
'' + cfg.extraCommands;
};
2024-05-28 17:56:03 +00:00
}