diff options
| -rw-r--r-- | .envrc | 1 | ||||
| -rw-r--r-- | default.nix | 13 | ||||
| -rwxr-xr-x | tools/bin/__dispatch.sh | 3 | ||||
| l--------- | tools/bin/pass | 1 | ||||
| -rw-r--r-- | tools/kms_pass/default.nix | 60 |
5 files changed, 78 insertions, 0 deletions
diff --git a/.envrc b/.envrc index d89bcd9d66f2..6b3ce7ebbb1e 100644 --- a/.envrc +++ b/.envrc @@ -4,3 +4,4 @@ export PATH="${PWD}/tools/bin:${PATH}" export NIX_PATH="nixpkgs=${PWD}/default.nix" export REPO_ROOT="${PWD}" +export SECRETS_DIR="${PWD}/secrets" diff --git a/default.nix b/default.nix index ed6258108d5b..3b5736a19261 100644 --- a/default.nix +++ b/default.nix @@ -28,6 +28,13 @@ let blog = self.callPackage ./services/tazblog {}; blog_cli = self.callPackage ./tools/blog_cli {}; gemma = self.callPackage ./services/gemma {}; + + kms_pass = self.callPackage ./tools/kms_pass { + project = "tazjins-infrastructure"; + region = "europe-north1"; + keyring = "tazjins-keys"; + key = "kontemplate-key"; + }; }; # Third-party projects (either vendored or modified from nixpkgs) go here: @@ -49,6 +56,12 @@ let sha256 = "1wn7nmb1cqfk2j91l3rwc6yhimfkzxprb8wknw5wi57yhq9m6lv1"; }) {}).elmPackages; + # Wrap kontemplate to inject the Cloud KMS version of 'pass' + kontemplate = self.writeShellScriptBin "kontemplate" '' + export PATH="${self.tazjin.kms_pass}/bin:$PATH" + exec ${super.kontemplate}/bin/kontemplate $@ + ''; + # One of Gemma's dependencies is missing in nixpkgs' Quicklisp # package set, it is overlaid locally here. lispPackages = import ./third_party/common_lisp/quicklisp.nix { diff --git a/tools/bin/__dispatch.sh b/tools/bin/__dispatch.sh index 09b404f3b33d..20848bd5118c 100755 --- a/tools/bin/__dispatch.sh +++ b/tools/bin/__dispatch.sh @@ -22,6 +22,9 @@ case "${TARGET_TOOL}" in stern) attr="stern" ;; + pass) + attr="tazjin.kms_pass" + ;; *) echo "The tool '${TARGET_TOOL}' is currently not installed in this repository." exit 1 diff --git a/tools/bin/pass b/tools/bin/pass new file mode 120000 index 000000000000..8390ec9c9652 --- /dev/null +++ b/tools/bin/pass @@ -0,0 +1 @@ +__dispatch.sh \ No newline at end of file diff --git a/tools/kms_pass/default.nix b/tools/kms_pass/default.nix new file mode 100644 index 000000000000..fbc17650a948 --- /dev/null +++ b/tools/kms_pass/default.nix @@ -0,0 +1,60 @@ +# This tool mimics a subset of the interface of 'pass', but uses +# Google Cloud KMS for encryption. +# +# It is intended to be compatible with how 'kontemplate' invokes +# 'pass.' +# +# Only the 'show' and 'insert' commands are supported. + +{ google-cloud-sdk, tree, writeShellScriptBin +, project, region, keyring, key }: + +writeShellScriptBin "pass" '' + set -eo pipefail + + CMD="$1" + readonly SECRET=$2 + readonly SECRET_PATH="$SECRETS_DIR/$SECRET" + + function secret_check { + if [[ -z $SECRET ]]; then + echo 'Secret must be specified' + exit 1 + fi + } + + if [[ -z $CMD ]]; then + CMD="ls" + fi + + case "$CMD" in + ls) + ${tree}/bin/tree $SECRETS_DIR + ;; + show) + secret_check + ${google-cloud-sdk}/bin/gcloud kms decrypt \ + --project ${project} \ + --location ${region} \ + --keyring ${keyring} \ + --key ${key} \ + --ciphertext-file $SECRET_PATH \ + --plaintext-file - + ;; + insert) + secret_check + ${google-cloud-sdk}/bin/gcloud kms encrypt \ + --project ${project} \ + --location ${region} \ + --keyring ${keyring} \ + --key ${key} \ + --ciphertext-file $SECRET_PATH \ + --plaintext-file - + echo "Inserted secret '$SECRET'" + ;; + *) + echo "Usage: pass show/insert <secret>" + exit 1 + ;; + esac +'' |