wip

nixos/base/bitwarden-secrets-module.nix

@@ -0,0 +1,92 @@
+{ config, lib, pkgs, ... }:
+
+let
+ mkSecretService = name: config.secrets.${name};
+in
+{
+ options.secrets = lib.mkOption {
+ type = lib.types.attrsOf (lib.types.submodule {
+ options.secret = lib.mkOption {
+ type = lib.types.str;
+ description = "Secret value";
+ };
+ options.destination = lib.mkOption {
+ type = lib.types.str;
+ description = "Destination path";
+ };
+ });
+ description = "Configuration for managing secrets";
+ };
+
+ config = lib.mkIf (config.secrets != { }) {
+ systemd.services.bws-secret-manager = {
+ description = "BWS Secret Manager Service";
+ path = [ pkgs.bws ];
+ serviceConfig = {
+ Type = "oneshot";
+ ExecStart = ''
+ for secret in ${lib.mapAttrsToList (name: attrs: "${mkSecretService name}") config.secrets}; do
+ echo "Processing secret: $secret" >&2
+ bws secret get "${secret.secret}" --output=env --access-token=$(cat /etc/bitwarden-secrets.access-token) >> "${secret.destination}" || {
+ echo "Error executing bws secret get for ${secret.secret}" >&2
+ exit 1
+ }
+ done
+ '';
+ RemainAfterExit = true;
+ ExecStop = ''
+ for secret in ${lib.mapAttrsToList (name: attrs: "${mkSecretService name}") config.secrets}; do
+ rm -rf "${secret.destination}"
+ done
+ '';
+ };
+ };
+ };
+
+ secrets = [{
+ secret = "bws secret get MY_SECRET --output=env";
+ destination = "/run/my-secret-env";
+ }];
+}
+
+
+/*
+ { config, lib, pkgs, ... }:
+
+ {
+ options.secrets = lib.mkOption {
+ type = lib.types.attrsOf (lib.types.submodule {
+ options.secret = lib.mkOption {
+ type = lib.types.str;
+ description = "Secret value";
+ };
+ options.destination = lib.mkOption {
+ type = lib.types.str;
+ description = "Destination path";
+ };
+ });
+ description = "Configuration for managing secrets";
+ };
+
+ config = lib.mkIf (config.secrets != {}) {
+ systemd.services.bws-secret-manager = {
+ description = "BWS Secret Manager Service";
+ path = [ pkgs.bws ];
+ serviceConfig = {
+ Type = "oneshot";
+ ExecStart = ''
+ for secret in ${lib.concatStringsSep " " (lib.attrValues config.secrets)}; do
+ bws secret get ${secret.secret}' --output=env --access-token=$(cat /etc/bitwarden-secrets.access-token) >> ${secret.destination}
+ different language, but I think Black has a lot of good ideas end
+ '';
+ RemainAfterExit = true;
+ ExecStop = "rm -rf ${lib.concatStringsSep " " lib.attrValues config.secrets}";
+ };
+ };
+ };
+
+ secrets = [{
+ secret = "331f84ae-070b-4d5f-a380-b1f000249e3c";
+ destination = "/run/dash-secrets";
+ }];
+} */

nixos/base/bitwarden-secrets-module.old.nix

@@ -0,0 +1,53 @@
+{ pkgs, lib, config, options, ... }:
+let
+ cfg = config.bitwarden-secrets;
+ mkService: { name, secrets ? [] } = lib.mkOption {
+ path = [ cfg.package ];
+ before = [ "bitwarden-secrets-teardown.service" ];
+ unitConfig = {
+ Type = "oneshot";
+ RemainAfterExit = true;
+ DynamicUser = true;
+ Exec = lib.map
+ (secret_id: ''
+ bws secret get ${secret_id} \
+ --output=env \
+ --access-token=$(cat /etc/bitwarden-secrets.access-token) \
+ >> /run/bitwarden-secrets/${name}
+ '')
+ secrets;
+ };
+ };
+in
+{
+ options.bitwarden-secrets = {
+ enable = lib.mkEnableOption "bitwarden-secrets";
+ package = lib.mkPackageOption pkgs "bws";
+ };
+
+ config = lib.mkIf cfg.enable {
+ systemd = {
+ slices.bitwarden-secrets = {
+ description = "Slice for Secrets from Bitwarden Secrets";
+ };
+
+ tmpfiles.rules = [
+ "d /run/bitwarden-secrets"
+ ]
+
+ services = {
+ bitwarden-secrets-teardown = {
+ description = "Service which deletes all secrets in /run/bitwarden-secrets, executed when the system is shutting down";
+ unitConfig = {
+ Type = "oneshot";
+ ExecStart = "true";
+ RemainAfterExit = true;
+ ExecStop = ''
+ rm -rf /run/bitwarden-secrets
+ '';
+ };
+ };
+ };
+};
+}
+}

nixos/base/default.nix

@@ -7,6 +7,7 @@
  ./networking.nix
  ./nix.nix
  ./shell.nix
+ ./bitwarden-secrets-module.nix
  ];
 
  config.programs.dconf.enable = true;