mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-14 11:57:52 +00:00
Code Activity

home-manager: Add support for Split GPG on Qubes OS (#657)

Browse source 
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
This commit is contained in:
Wael Nasreddine 2024-11-09 20:32:29 -08:00 committed by GitHub
parent 60e1bce199
commit f1675e3b0e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 70 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
README.md
View file

@ -823,6 +823,31 @@ The secrets are decrypted in a systemd user service called `sops-nix`, so other
} }
``` ```
### Qubes Split GPG support
If you are using Qubes with the [Split GPG](https://www.qubes-os.org/doc/split-gpg),
then you can configure sops to utilize the `qubes-gpg-client-wrapper` with the `sops.gnupg.qubes-split-gpg` options.
The example above updated looks like this:
```nix
{
sops = {
gnupg.qubes-split-gpg = {
enable = true;
domain = "vault-gpg";
};
defaultSopsFile = ./secrets.yaml;
secrets.test = {
# sopsFile = ./secrets.yml.enc; # optionally define per-secret files
# %r gets replaced with a runtime directory, use %% to specify a '%'
# sign. Runtime dir is $XDG_RUNTIME_DIR on linux and $(getconf
# DARWIN_USER_TEMP_DIR) on darwin.
path = "%r/test.txt";
};
};
}
```
## Use with GPG instead of SSH keys ## Use with GPG instead of SSH keys
If you prefer having a separate GPG key, sops-nix also comes with a helper tool, `sops-init-gpg-key`: If you prefer having a separate GPG key, sops-nix also comes with a helper tool, `sops-init-gpg-key`:

51
modules/home-manager/sops.nix
View file

@ -231,6 +231,19 @@ in {
''; '';
}; };
qubes-split-gpg = {
enable = lib.mkEnableOption "Enable support for Qubes Split GPG feature: https://www.qubes-os.org/doc/split-gpg";
domain = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "vault-gpg";
description = ''
It tells Qubes OS which secure Qube holds your GPG keys for isolated cryptographic operations.
'';
};
};
sshKeyPaths = lib.mkOption { sshKeyPaths = lib.mkOption {
type = lib.types.listOf lib.types.path; type = lib.types.listOf lib.types.path;
default = []; default = [];
@ -244,11 +257,24 @@ in {
config = lib.mkIf (cfg.secrets != {}) { config = lib.mkIf (cfg.secrets != {}) {
assertions = [{ assertions = [{
assertion = cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [] || cfg.age.keyFile != null || cfg.age.sshKeyPaths != []; assertion =
message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home"; cfg.gnupg.home != null ||
cfg.gnupg.sshKeyPaths != [] ||
cfg.gnupg.qubes-split-gpg.enable == true ||
cfg.age.keyFile != null ||
cfg.age.sshKeyPaths != [];
message = "No key source configured for sops. Either set services.openssh.enable or set sops.age.keyFile or sops.gnupg.home or sops.gnupg.qubes-split-gpg.enable";
} { } {
assertion = !(cfg.gnupg.home != null && cfg.gnupg.sshKeyPaths != []); assertion = !(cfg.gnupg.home != null && cfg.gnupg.sshKeyPaths != []) &&
message = "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set"; !(cfg.gnupg.home != null && cfg.gnupg.qubes-split-gpg.enable == true) &&
!(cfg.gnupg.sshKeyPaths != [ ] && cfg.gnupg.qubes-split-gpg.enable == true);
message = "Exactly one of sops.gnupg.home, sops.gnupg.qubes-split-gpg.enable and sops.gnupg.sshKeyPaths must be set";
} {
assertion = cfg.gnupg.qubes-split-gpg.enable == false ||
(cfg.gnupg.qubes-split-gpg.enable == true &&
cfg.gnupg.qubes-split-gpg.domain != null &&
cfg.gnupg.qubes-split-gpg.domain != "");
message = "sops.gnupg.qubes-split-gpg.domain is required when sops.gnupg.qubes-split-gpg.enable is set to true";
}] ++ lib.optionals cfg.validateSopsFiles ( }] ++ lib.optionals cfg.validateSopsFiles (
lib.concatLists (lib.mapAttrsToList (name: secret: [{ lib.concatLists (lib.mapAttrsToList (name: secret: [{
assertion = builtins.pathExists secret.sopsFile; assertion = builtins.pathExists secret.sopsFile;
@ -256,12 +282,25 @@ in {
} { } {
assertion = assertion =
builtins.isPath secret.sopsFile || builtins.isPath secret.sopsFile ||
(builtins.isString secret.sopsFile && lib.hasPrefix builtins.storeDir secret.sopsFile); (builtins.isString secret.sopsFile && lib.hasPrefix builtins.storeDir secret.sopsFile);
message = "'${secret.sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false"; message = "'${secret.sopsFile}' is not in the Nix store. Either add it to the Nix store or set sops.validateSopsFiles to false";
}]) cfg.secrets) }]) cfg.secrets)
); );
sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != []) (lib.mkDefault "${pkgs.gnupg}/bin/gpg"); home.sessionVariables = lib.mkIf cfg.gnupg.qubes-split-gpg.enable {
# TODO: Add this package to nixpkgs and use it from the store
# https://github.com/QubesOS/qubes-app-linux-split-gpg
SOPS_GPG_EXEC = "qubes-gpg-client-wrapper";
};
sops.environment = {
SOPS_GPG_EXEC = lib.mkMerge [
(lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != []) (lib.mkDefault "${pkgs.gnupg}/bin/gpg"))
(lib.mkIf cfg.gnupg.qubes-split-gpg.enable (lib.mkDefault config.home.sessionVariables.SOPS_GPG_EXEC))
];
QUBES_GPG_DOMAIN = lib.mkIf cfg.gnupg.qubes-split-gpg.enable (lib.mkDefault cfg.gnupg.qubes-split-gpg.domain);
};
systemd.user.services.sops-nix = lib.mkIf pkgs.stdenv.hostPlatform.isLinux { systemd.user.services.sops-nix = lib.mkIf pkgs.stdenv.hostPlatform.isLinux {
Unit = { Unit = {