-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrootToken.nix
93 lines (88 loc) · 3.42 KB
/
rootToken.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
{ pkgs, rootTokenPath, mkDescription, roleIDPath, secretIDPath, ... }: let
in {
mkService = {
turnkey-root = {
after = [ "turnkey.target" ];
path = [ pkgs.vault-bin pkgs.util-linux ];
environment.VAULT_ADDR = "https://vault.emerald.city:8200";
serviceConfig = {
User = "root";
Group = "root";
Type = "oneshot";
RemainAfterExit = "no";
ExecStart = with pkgs; pkgs.writeShellScript "turnkey-renew.sh" ''
flock -s ${rootTokenPath} -c "{
vault login token=$(cat ${rootTokenPath})
vault token renew
}" &> /dev/null
'';
};
};
};
mkTimer = {
turnkey-root-renew = {
enable = true;
wantedBy = [ "turnkey.target" ];
after = [ "turnkey-unlock.service" ];
description = mkDescription "Root Token Renewal Timer";
timerConfig.OnCalendar = "*:0/1"; #Every minute
timerConfig.RandomizedDelaySec = "10s";
};
};
mkUnlockOneshot = {
# Responsible for turning the role/secret -> root token and starting
# all the other services by isolating to the target
turnkey = {
after = [ "multi-user.target" ];
path = [ pkgs.vault-bin pkgs.util-linux ];
environment.VAULT_ADDR = "https://vault.emerald.city:8200";
description = mkDescription "Root Token Unlock Script";
bindsTo = [ "turnkey.target" ];
serviceConfig = {
User = "root";
Group = "root";
RemainAfterExit = "yes";
ExecStart = with pkgs; pkgs.writeShellScript "turnkey-unlock.sh" ''
if [ -e "${rootTokenPath}" ] && [ ! -z "$(cat ${rootTokenPath})" ] ; then
echo "Already have a root token, skipping."
exit 0
fi
if vault write -field=token auth/approle/login \
role_id=$(cat ${roleIDPath}) \
secret_id=$(cat ${secretIDPath}) > ${rootTokenPath} ; then
echo "Keys installed, activating turnkey target"
else
echo "ERROR: Could not authorize with provided keys."
exit 1
fi
vault token capabilities $(cat ${rootTokenPath})
vault login token="$(cat ${rootTokenPath})"
systemctl isolate turnkey.target
'';
ExecStartPost = with pkgs; pkgs.writeShellScript "turnkey-start-post.sh" ''
rm -f ${secretIDPath}
rm -f ${roleIDPath}
'';
ExecStopPost = with pkgs; pkgs.writeShellScript "turnkey-stop-post.sh" ''
rm -f ${secretIDPath}
rm -f ${roleIDPath}
'';
ExecStop = with pkgs; pkgs.writeShellScript "turnkey-stop.sh" ''
# FIXME: this should actually 'hibernate' the system, generating
# a longterm token in rootTokenPath (like, 15m or some
# max-build-time).
#
# The issue right now is that when I run the build against this
# machine, it tries to start this script, but hangs because it's
# already started.
#
# A workaround for now is to comment `rm` part of the script,
# this is less safe, but it allows the build to complete without
# dying because it can't find a secret/role pair.
# flock -x ${rootTokenPath} -c "rm -f ${rootTokenPath}"
systemctl stop turnkey.target
'';
};
};
};
}