commit 2b74eede40bca050694f7731207c16b8c5c3ba79
author Skyler Grey <sky@a.starrysky.fyi> Fri Aug 02 19:01:48 2024 +0000
committer Skyler Grey <minion@clicks.codes> Fri Aug 02 19:46:49 2024 +0000
tree d7c8f3269bb92c52111f5de73dddb7318d703e58
parent 2c9c3e7b56d4573bbc9b7c694941627e2fd266fb

feat(secrets): Base names on encrypted contents

This is useful, for example, to make systemd services restart without
fiddling with restart triggers. In sops we achieved this by setting the
attribute name using a function - this isn't possible with agenix-rekey
because it needs to evaluate secrets (including their attribute names)
when the files don't yet exist

Despite this, we can still set the "name" - which is used only when
rekeying and deploying the secret - and manually handle attribute names

Change-Id: Ia49c7fe9eb55341f433cbb7c49935584b48518fe
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/806
Tested-by: Skyler Grey <minion@clicks.codes>
Reviewed-by: Skyler Grey <minion@clicks.codes>

modules/nixos/clicks/security/secrets/instability/default.nix

diff --git a/modules/nixos/clicks/security/secrets/instability/default.nix b/modules/nixos/clicks/security/secrets/instability/default.nix
new file mode 100644
index 0000000..f1362a4
--- /dev/null
+++ b/modules/nixos/clicks/security/secrets/instability/default.nix
@@ -0,0 +1,51 @@
+{ config, lib, ... }: {
+  options.clicks.security.secrets.instability.enable = lib.mkOption {
+    description = ''
+      Enable changing secret names using instability by default
+
+      This is useful, for example, to make systemd services restart without
+      fiddling with restart triggers, but could be detrimental to services like
+      nginx which can reload with zero downtime (but won't necessarily do so if
+      you swap secret files from under them)
+
+      This also works with agenix-rekey, and if you're using that then the
+      secret name will be based on the rekeyFile
+      '';
+    type = lib.types.bool;
+    default = config.clicks.security.secrets.enable;
+  };
+
+  options.age = {
+    # Extend age.secrets with the ability to have an unstable name
+    secrets = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule (submodule: {
+        options = {
+          unstableName = lib.mkOption {
+            type = lib.types.bool;
+            default = config.clicks.security.secrets.instability.enable;
+            example = true;
+            description = ''
+              Whether the name of this secret should be based on the (encrypted)
+              contents of its file
+
+              This is useful, for example, to make systemd services restart
+              without fiddling with restart triggers, but could be detrimental
+              to services like nginx which can reload with zero downtime (but
+              won't necessarily do so if you swap secret files from under them)
+
+              This also works with agenix-rekey, and if you're using that then
+              the secret name will be based on the rekeyFile
+            '';
+          };
+        };
+        config = {
+          # Calculate the name as the sha256 hash of the rekeyFile or file... whichever happens to exist for this secret
+          name = let
+            dependency = submodule.config.rekeyFile or submodule.config.file;
+            hash = builtins.hashFile "sha256" dependency;
+          in lib.mkIf submodule.config.unstableName hash;
+        };
+      }));
+    };
+  };
+}