fix: avoid realizing store paths which do not yet exist

- while secrets generation is not yet out of band, the realizations cannot depend on paths that are yet to be generated
input-output-hk · Jan 12, 2022 · 2175494 · 2175494
1 parent 88e04a5
commit 2175494
Show file tree

Hide file tree

Showing 7 changed files with 14 additions and 18 deletions.
diff --git a/modules/secrets.nix b/modules/secrets.nix
@@ -85,12 +85,6 @@ in {
     };
   };
 
-  config.assertions = lib.flip lib.mapAttrsToList config.secrets.install
-    (name: cfg: {
-      assertion = cfg.source == null || builtins.pathExists cfg.source;
-      message = ''secrets: source path "${cfg.source}" must exist.'';
-    });
-
   config.systemd.services = lib.flip lib.mapAttrs' config.secrets.install
     (name: cfg:
       lib.nameValuePair "secret-${name}" {

diff --git a/profiles/auxiliaries/builder.nix b/profiles/auxiliaries/builder.nix
@@ -87,7 +87,7 @@ in {
     builder = {
       isSystemUser = true;
       openssh.authorizedKeys.keyFiles =
-        [ (config.secrets.encryptedRoot + "/nix-builder-key.pub") ];
+        [ ((toString config.secrets.encryptedRoot) + "/nix-builder-key.pub") ];
       shell = pkgs.bashInteractive;
     };
   };

diff --git a/profiles/auxiliaries/docker-registry.nix b/profiles/auxiliaries/docker-registry.nix
@@ -42,7 +42,7 @@
   '';
 
   secrets.install.redis-password = {
-    source = config.secrets.encryptedRoot + "/redis-password.json";
+    source = (toString config.secrets.encryptedRoot) + "/redis-password.json";
     target = /run/keys/redis-password;
     inputType = "binary";
     outputType = "binary";
@@ -67,7 +67,7 @@
   '';
 
   secrets.install.docker-passwords = {
-    source = config.secrets.encryptedRoot + "/docker-passwords.json";
+    source = (toString config.secrets.encryptedRoot) + "/docker-passwords.json";
     target = /run/keys/docker-passwords-decrypted;
     script = ''
       export PATH="${lib.makeBinPath (with pkgs; [ coreutils jq ])}"

diff --git a/profiles/auxiliaries/oauth.nix b/profiles/auxiliaries/oauth.nix
@@ -22,7 +22,7 @@
   secrets.install.oauth.script = ''
     export PATH="${lib.makeBinPath (with pkgs; [ sops coreutils ])}"
 
-    cat ${config.secrets.encryptedRoot + "/oauth-secrets"} \
+    cat ${(toString config.secrets.encryptedRoot) + "/oauth-secrets"} \
       | sops -d /dev/stdin \
       > /run/keys/oauth-secrets
 

diff --git a/profiles/auxiliaries/secrets.nix b/profiles/auxiliaries/secrets.nix
@@ -4,6 +4,8 @@ let
     "${pkgs.sops}/bin/sops --encrypt --input-type json --kms '${config.cluster.kms}' /dev/stdin";
 
   sopsDecrypt = path:
+    # NB: we can't work on store paths that don't yet exist before they are generated
+    assert lib.assertMsg (builtins.isString path) "sopsDecrypt: path must be a string ${toString path}";
     "${pkgs.sops}/bin/sops --decrypt --input-type json ${path}";
 
   isInstance = config.currentCoreNode != null;
@@ -92,17 +94,17 @@ in {
   '';
 
   secrets.install.nomad-server = lib.mkIf isInstance {
-    source = config.secrets.encryptedRoot + "/nomad.json";
+    source = (toString config.secrets.encryptedRoot) + "/nomad.json";
     target = gossipEncryptionMaterial.nomad;
   };
 
   secrets.install.consul-server = lib.mkIf isInstance {
-    source = config.secrets.encryptedRoot + "/consul-core.json";
+    source = (toString config.secrets.encryptedRoot) + "/consul-core.json";
     target = gossipEncryptionMaterial.consul;
   };
 
   secrets.install.consul-clients = lib.mkIf (!isInstance) {
-    source = config.secrets.encryptedRoot + "/consul-clients.json";
+    source = (toString config.secrets.encryptedRoot) + "/consul-clients.json";
     target = gossipEncryptionMaterial.consul;
     script = ''
       ${pkgs.systemd}/bin/systemctl restart consul.service
@@ -182,7 +184,7 @@ in {
   secrets.install.certs = lib.mkIf isInstance {
     script = ''
       export PATH="${lib.makeBinPath (with pkgs; [ cfssl jq coreutils ])}"
-      cert="$(${sopsDecrypt (config.secrets.encryptedRoot + "/cert.json")})"
+      cert="$(${sopsDecrypt ((toString config.secrets.encryptedRoot) + "/cert.json")})"
       echo "$cert" | cfssljson -bare cert
       cp ${builtins.baseNameOf pkiFiles.certFile} ${pkiFiles.certFile}
       cp ${builtins.baseNameOf pkiFiles.keyFile} ${pkiFiles.keyFile}

diff --git a/profiles/bootstrap/default.nix b/profiles/bootstrap/default.nix
@@ -14,15 +14,15 @@ let
 
   initialVaultSecrets = ''
     sops --decrypt --extract '["encrypt"]' ${
-      config.secrets.encryptedRoot + "/consul-clients.json"
+      (toString config.secrets.encryptedRoot) + "/consul-clients.json"
     } | vault kv put kv/bootstrap/clients/consul encrypt=-
 
     sops --decrypt --extract '["server"]["encrypt"]' ${
-      config.secrets.encryptedRoot + "/nomad.json"
+      (toString config.secrets.encryptedRoot) + "/nomad.json"
     } | vault kv put kv/bootstrap/clients/nomad encrypt=-
 
     sops --decrypt ${
-      config.secrets.encryptedRoot + "/nix-cache.json"
+      (toString config.secrets.encryptedRoot) + "/nix-cache.json"
     } | vault kv put kv/bootstrap/cache/nix-key -
   '';
 

diff --git a/profiles/monitoring.nix b/profiles/monitoring.nix
@@ -95,7 +95,7 @@
 
     mkdir -p /var/lib/grafana
 
-    cat ${config.secrets.encryptedRoot + "/grafana-password.json"} \
+    cat ${(toString config.secrets.encryptedRoot) + "/grafana-password.json"} \
       | sops -d /dev/stdin \
       > /var/lib/grafana/password
   '';