diff --git a/default.nix b/default.nix index 22d82ea..07a076f 100644 --- a/default.nix +++ b/default.nix @@ -6,24 +6,22 @@ # commands such as: # nix-build -A mypackage -{ pkgs ? import { } }: - { + pkgs ? import { }, +}: + +rec { # The `lib`, `modules`, and `overlays` names are special lib = import ./lib { inherit pkgs; }; # functions - modules = import ./modules; # NixOS modules overlays = import ./overlays; # nixpkgs overlays - # : DO NOT REMOVE THIS LINE - step-agent_0_65_6 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.6.nix { }; - step-agent_0_65_5-rc2 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.5-rc2.nix { }; - step-agent_0_65_5-rc1 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.5-rc1.nix { }; - step-agent_0_65_4 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.4.nix { }; - step-agent_0_65_2 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.2.nix { }; - step-agent_0_65_1 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.1.nix { }; - step-agent_0_65_0-rc21 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.0-rc21.nix { }; - step-agent_0_65_0-rc20 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.0-rc20.nix { }; - step-agent_0_65_0-rc19 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.0-rc19.nix { }; - step-agent = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.0-rc11.nix { }; - step-agent_0_65_0-rc11 = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.0-rc11.nix { }; + nixosModules.step-agent = { + imports = [ ./modules/step-agent.nix ]; + services.step-agent.package = pkgs.lib.mkDefault packages.step-agent; + }; + + packages = { + step-agent = pkgs.callPackage ./pkgs/step-agent/step-agent_0.65.6.nix { }; + }; + } diff --git a/modules/default.nix b/modules/default.nix deleted file mode 100644 index ff6c7c0..0000000 --- a/modules/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - # Add your NixOS modules here - # - # my-module = ./my-module; -} diff --git a/modules/step-agent.nix b/modules/step-agent.nix new file mode 100644 index 0000000..a985c18 --- /dev/null +++ b/modules/step-agent.nix @@ -0,0 +1,394 @@ +{ + lib, + config, + pkgs, + ... +}: +let + cfg = config.services.step-agent; +in +{ + options.services.step-agent = { + enable = lib.mkEnableOption "Smallstep step-agent-plugin service https://github.com/smallstep/step-agent-plugin"; + + # TODO: make user / group configurable + settings = { + config = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The configuration file to use"; + }; + + kms = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The KMS uri to use"; + }; + + att = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The attester KMS uri to use"; + }; + + certificate = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The certificate to use for bootstrapping"; + }; + + token = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The login token to use"; + }; + + tokenFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = "The path to the login token to use"; + }; + + contact = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The contact email to use in the acme accounts"; + }; + + cloud = lib.mkOption { + type = lib.types.nullOr ( + lib.types.enum [ + "aws" + "gcp" + "azure" + ] + ); + default = null; + description = "Force agent to run as if cloud was detected (aws, gcp, azure)"; + }; + + skipCloud = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Skip cloud detection"; + }; + + team = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The team slug"; + }; + + teamId = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The uuid of the team"; + }; + + hostId = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The uuid of the host"; + }; + + caUrl = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The certificate authority 'url' used to get the bootstrap token"; + }; + + fingerprint = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The certificate authority root fingerprint"; + }; + + provisioner = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The certificate authority provisioner to use"; + }; + + password = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The password of a JWK provisioner key"; + }; + + passwordFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = "The file containing the password of JWK provisioner key"; + }; + + apiUrl = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The url where the Smallstep API can be found"; + }; + + attestationCaUrl = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The url for the Smallstep Attestation CA"; + }; + + attestationCaSlug = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The slug for the Attestation CA to use"; + }; + + tpmDevice = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The name of the TPM device to use"; + }; + + tpmStorageDirectory = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = "The TPM storage directory path"; + }; + + x5cCert = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The uri or file containing the certificate chain to use with an X5C provisioner"; + }; + + x5cKey = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The uri or file containing the key to use with an X5C provisioner"; + }; + + permanentIdentifier = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The permanent-identifier value to use"; + }; + + identityToken = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "A one-time-token for accessing the CA during the agent identity signing request"; + }; + + agentPath = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The path to the directory to write the service certificates"; + }; + + pidfile = lib.mkOption { + type = lib.types.str; + default = "/run/step-agent/step-agent.pid"; + description = "The path to the file to read the process ID from"; + }; + + ipc = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The path to the UNIX socket the IPC service binds on. May be prefixed with an '@' to denote an abstract socket"; + }; + + disableReloader = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Disable endpoint reloader server"; + }; + + reloader = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The path to the UNIX socket the endpoint reloader service binds on. May be prefixed with an '@' to denote an abstract socket"; + }; + + register = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Register this host with the provided login token"; + }; + + ipcBootstrap = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Wait for bootstrapping via IPC"; + }; + + login = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Use the interactive login method"; + }; + + loginDomain = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "Specify the login domain"; + }; + + pkcs11 = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The path to the UNIX socket the PKCS11 server binds on"; + }; + + sshAgent = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "The path to the UNIX socket the ssh-agent service binds on"; + }; + + sshKey = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = "The path to the SSH key"; + }; + + logDir = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "Directory path for storing agent logs"; + }; + + logLevel = lib.mkOption { + type = lib.types.nullOr ( + lib.types.enum [ + "debug" + "info" + "warn" + "error" + ] + ); + default = null; + description = "Log level: debug, info, warn or error"; + }; + + pprof = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Enable the pprof server for debugging"; + }; + }; + + package = lib.mkPackageOption pkgs "step-agent" { }; + }; + + config = lib.mkIf cfg.enable { + users = { + users.step-agent = { + isSystemUser = true; + group = "step-agent"; + home = "/var/lib/step-agent"; + createHome = false; + }; + groups.step-agent = { }; + }; + + systemd.services.step-agent = { + after = [ + "network-online.target" + "step-agent-swtpm.service" + ]; + description = "Smallstep Agent"; + documentation = [ + "https://u.step.sm/docs/agent" + ]; + requires = [ + "network-online.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + wants = [ + "step-agent-swtpm.service" + ]; + environment = { + HOME = "/var/lib/step-agent"; + RUNTIME_DIRECTORY = "/run/step-agent"; + }; + unitConfig = { + ConditionPathIsReadWrite = "/etc/step-agent/agent.yaml"; + }; + serviceConfig = { + User = "step-agent"; + Group = "step-agent"; + ConfigurationDirectory = "step-agent"; + StateDirectory = "step-agent"; + Type = "notify"; + WatchdogSec = "60s"; + # ProtectSystem = "yes"; # what stops us from using strict + # ProtectHome = "read-only"; + # PrivateTmp = true; + # SecureBits = "keep-caps"; + # AmbientCapabilities = "CAP_IPC_LOCK CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER"; + # CapabilityBoundingSet = "CAP_SYSLOG CAP_IPC_LOCK CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER"; + ExecStart = + let + flags = lib.cli.toGNUCommandLine { } { + config = cfg.settings.config; + kms = cfg.settings.kms; + att = cfg.settings.att; + certificate = cfg.settings.certificate; + token = cfg.settings.token; + token-file = cfg.settings.tokenFile; + contact = cfg.settings.contact; + cloud = cfg.settings.cloud; + skip-cloud = cfg.settings.skipCloud; + team = cfg.settings.team; + team-id = cfg.settings.teamId; + host-id = cfg.settings.hostId; + ca-url = cfg.settings.caUrl; + fingerprint = cfg.settings.fingerprint; + provisioner = cfg.settings.provisioner; + password = cfg.settings.password; + password-file = cfg.settings.passwordFile; + api-url = cfg.settings.apiUrl; + attestation-ca-url = cfg.settings.attestationCaUrl; + attestation-ca-slug = cfg.settings.attestationCaSlug; + tpm-device = cfg.settings.tpmDevice; + tpm-storage-directory = cfg.settings.tpmStorageDirectory; + x5c-cert = cfg.settings.x5cCert; + x5c-key = cfg.settings.x5cKey; + permanent-identifier = cfg.settings.permanentIdentifier; + identity-token = cfg.settings.identityToken; + agent-path = cfg.settings.agentPath; + pidfile = cfg.settings.pidfile; + ipc = cfg.settings.ipc; + disable-reloader = cfg.settings.disableReloader; + reloader = cfg.settings.reloader; + register = cfg.settings.register; + ipc-bootstrap = cfg.settings.ipcBootstrap; + login = cfg.settings.login; + login-domain = cfg.settings.loginDomain; + pkcs11 = cfg.settings.pkcs11; + ssh-agent = cfg.settings.sshAgent; + ssh-key = cfg.settings.sshKey; + log-dir = cfg.settings.logDir; + log-level = cfg.settings.logLevel; + pprof = cfg.settings.pprof; + }; + in + "${lib.getExe cfg.package} start ${lib.escapeShellArgs flags}"; + + ExecReload = "/bin/kill -HUP $MAINPID"; + DeviceAllow = "/dev/tpmrm0 rw"; + # ReadWritePaths = [ + # "-/dev/tpmrm0" + # "-/run/step-agent/swtpm.sock" + # cfg.settings.agentPath + # ]; + LimitNOFILE = 65536; + LimitMEMLOCK = "infinity"; + Restart = "always"; + RestartSec = 10; + }; + + }; + systemd.tmpfiles.rules = [ + "d /run/step-agent 0750 step-agent step-agent - -" + ]; + }; +} diff --git a/pkgs/step-agent/step-agent_0.65.0-rc11.nix b/pkgs/step-agent/step-agent_0.65.0-rc11.nix index 88dbec1..0588460 100644 --- a/pkgs/step-agent/step-agent_0.65.0-rc11.nix +++ b/pkgs/step-agent/step-agent_0.65.0-rc11.nix @@ -36,7 +36,11 @@ stdenvNoCC.mkDerivation { sourceRoot = "."; - nativeBuildInputs = [ installShellFiles makeWrapper ] ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; + nativeBuildInputs = [ + installShellFiles + makeWrapper + ] + ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; buildInputs = lib.optionals stdenvNoCC.isLinux [ stdenv.cc.cc.lib @@ -45,10 +49,21 @@ stdenvNoCC.mkDerivation { installPhase = '' mkdir -p $out/bin cp -vr ./step-agent $out/bin/step-agent - wrapProgram $out/bin/step-agent --prefix PATH : ${lib.makeBinPath (lib.optionals stdenvNoCC.isLinux [ tpm2-tss tpm2-openssl desktop-file-utils polkit p11-kit ])} + wrapProgram $out/bin/step-agent --prefix PATH : ${ + lib.makeBinPath ( + lib.optionals stdenvNoCC.isLinux [ + tpm2-tss + tpm2-openssl + desktop-file-utils + polkit + p11-kit + ] + ) + } ''; meta = { + mainProgram = "step-agent"; description = "step-agent-plugin is an automated certificate management agent plugin for step-cli."; homepage = "https://github.com/smallstep/step-agent-plugin/"; diff --git a/pkgs/step-agent/step-agent_0.65.0-rc19.nix b/pkgs/step-agent/step-agent_0.65.0-rc19.nix index b3365f6..c96e45d 100644 --- a/pkgs/step-agent/step-agent_0.65.0-rc19.nix +++ b/pkgs/step-agent/step-agent_0.65.0-rc19.nix @@ -36,7 +36,11 @@ stdenvNoCC.mkDerivation { sourceRoot = "."; - nativeBuildInputs = [ installShellFiles makeWrapper ] ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; + nativeBuildInputs = [ + installShellFiles + makeWrapper + ] + ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; buildInputs = lib.optionals stdenvNoCC.isLinux [ stdenv.cc.cc.lib @@ -45,7 +49,17 @@ stdenvNoCC.mkDerivation { installPhase = '' mkdir -p $out/bin cp -vr ./step-agent $out/bin/step-agent - wrapProgram $out/bin/step-agent --prefix PATH : ${lib.makeBinPath (lib.optionals stdenvNoCC.isLinux [ tpm2-tss tpm2-openssl desktop-file-utils polkit p11-kit ])} + wrapProgram $out/bin/step-agent --prefix PATH : ${ + lib.makeBinPath ( + lib.optionals stdenvNoCC.isLinux [ + tpm2-tss + tpm2-openssl + desktop-file-utils + polkit + p11-kit + ] + ) + } ''; meta = { diff --git a/pkgs/step-agent/step-agent_0.65.4.nix b/pkgs/step-agent/step-agent_0.65.4.nix index 727fb1c..b01ecf2 100644 --- a/pkgs/step-agent/step-agent_0.65.4.nix +++ b/pkgs/step-agent/step-agent_0.65.4.nix @@ -36,7 +36,11 @@ stdenvNoCC.mkDerivation { sourceRoot = "."; - nativeBuildInputs = [ installShellFiles makeWrapper ] ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; + nativeBuildInputs = [ + installShellFiles + makeWrapper + ] + ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; buildInputs = lib.optionals stdenvNoCC.isLinux [ stdenv.cc.cc.lib @@ -45,10 +49,21 @@ stdenvNoCC.mkDerivation { installPhase = '' mkdir -p $out/bin cp -vr ./step-agent $out/bin/step-agent - wrapProgram $out/bin/step-agent --prefix PATH : ${lib.makeBinPath (lib.optionals stdenvNoCC.isLinux [ tpm2-tss tpm2-openssl desktop-file-utils polkit p11-kit ])} + wrapProgram $out/bin/step-agent --prefix PATH : ${ + lib.makeBinPath ( + lib.optionals stdenvNoCC.isLinux [ + tpm2-tss + tpm2-openssl + desktop-file-utils + polkit + p11-kit + ] + ) + } ''; meta = { + mainProgram = "step-agent"; description = "step-agent-plugin is an automated certificate management agent plugin for step-cli."; homepage = "https://github.com/smallstep/step-agent-plugin/"; diff --git a/pkgs/step-agent/step-agent_0.65.6.nix b/pkgs/step-agent/step-agent_0.65.6.nix index c58d95a..e4366d6 100644 --- a/pkgs/step-agent/step-agent_0.65.6.nix +++ b/pkgs/step-agent/step-agent_0.65.6.nix @@ -36,7 +36,11 @@ stdenvNoCC.mkDerivation { sourceRoot = "."; - nativeBuildInputs = [ installShellFiles makeWrapper ] ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; + nativeBuildInputs = [ + installShellFiles + makeWrapper + ] + ++ lib.optionals stdenvNoCC.isLinux [ autoPatchelfHook ]; buildInputs = lib.optionals stdenvNoCC.isLinux [ stdenv.cc.cc.lib @@ -45,10 +49,21 @@ stdenvNoCC.mkDerivation { installPhase = '' mkdir -p $out/bin cp -vr ./step-agent $out/bin/step-agent - wrapProgram $out/bin/step-agent --prefix PATH : ${lib.makeBinPath (lib.optionals stdenvNoCC.isLinux [ tpm2-tss tpm2-openssl desktop-file-utils polkit p11-kit ])} + wrapProgram $out/bin/step-agent --prefix PATH : ${ + lib.makeBinPath ( + lib.optionals stdenvNoCC.isLinux [ + tpm2-tss + tpm2-openssl + desktop-file-utils + polkit + p11-kit + ] + ) + } ''; meta = { + mainProgram = "step-agent"; description = "step-agent-plugin is an automated certificate management agent plugin for step-cli."; homepage = "https://github.com/smallstep/step-agent-plugin/";