Skip to content

Commit

Permalink
Add configuration option to use tmpfs in place of ramfs (#355)
Browse files Browse the repository at this point in the history
allow use of tmpfs via option configuration

* Tabs vs Spaces

* Update modules/sops/default.nix

* Update modules/sops/default.nix
  • Loading branch information
Mic92 committed Aug 12, 2023
1 parent 1c673ba commit 339a559
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 4 deletions.
21 changes: 21 additions & 0 deletions modules/sops/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@ let
sshKeyPaths = cfg.gnupg.sshKeyPaths;
ageKeyFile = cfg.age.keyFile;
ageSshKeyPaths = cfg.age.sshKeyPaths;
useTmpfs = cfg.useTmpfs;
userMode = false;
logging = {
keyImport = builtins.elem "keyImport" cfg.log;
Expand Down Expand Up @@ -242,6 +243,26 @@ in {
'';
};

useTmpfs = mkOption {
type = types.bool;
default = false;
description = lib.mkDoc ''
Use tmpfs in place of ramfs for secrets storage.
*WARNING*
Enabling this option has the potential to write secrets to disk unencrypted if the tmpfs volume is written to swap. Do not use unless absolutely necessary.
When using a swap file or device, consider enabling swap encryption by setting the `randomEncryption.enable` option
```
swapDevices = [{
device = "/dev/sdXY";
randomEncryption.enable = true;
}];
```
'';
};

age = {
keyFile = mkOption {
type = types.nullOr types.path;
Expand Down
13 changes: 10 additions & 3 deletions pkgs/sops-install-secrets/linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ func SecureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int)
return nil
}

func MountSecretFs(mountpoint string, keysGid int, userMode bool) error {
func MountSecretFs(mountpoint string, keysGid int, useTmpfs bool, userMode bool) error {
if err := os.MkdirAll(mountpoint, 0751); err != nil {
return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
}
Expand All @@ -51,12 +51,19 @@ func MountSecretFs(mountpoint string, keysGid int, userMode bool) error {
return nil
}

var fstype string = "ramfs"
var fsmagic int32 = RAMFS_MAGIC
if useTmpfs {
fstype = "tmpfs"
fsmagic = TMPFS_MAGIC
}

buf := unix.Statfs_t{}
if err := unix.Statfs(mountpoint, &buf); err != nil {
return fmt.Errorf("Cannot get statfs for directory '%s': %w", mountpoint, err)
}
if int32(buf.Type) != RAMFS_MAGIC {
if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0751"); err != nil {
if int32(buf.Type) != fsmagic {
if err := unix.Mount("none", mountpoint, fstype, unix.MS_NODEV|unix.MS_NOSUID, "mode=0751"); err != nil {
return fmt.Errorf("Cannot mount: %s", err)
}
}
Expand Down
4 changes: 3 additions & 1 deletion pkgs/sops-install-secrets/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ type manifest struct {
GnupgHome string `json:"gnupgHome"`
AgeKeyFile string `json:"ageKeyFile"`
AgeSshKeyPaths []string `json:"ageSshKeyPaths"`
UseTmpfs bool `json:"useTmpfs"`
UserMode bool `json:"userMode"`
Logging loggingConfig `json:"logging"`
}
Expand Down Expand Up @@ -304,6 +305,7 @@ func decryptSecrets(secrets []secret) error {
}

const RAMFS_MAGIC int32 = -2054924042
const TMPFS_MAGIC int32 = 16914836

func prepareSecretsDir(secretMountpoint string, linkName string, keysGid int, userMode bool) (*string, error) {
var generation uint64
Expand Down Expand Up @@ -932,7 +934,7 @@ func installSecrets(args []string) error {

isDry := os.Getenv("NIXOS_ACTION") == "dry-activate"

if err := MountSecretFs(manifest.SecretsMountPoint, keysGid, manifest.UserMode); err != nil {
if err := MountSecretFs(manifest.SecretsMountPoint, keysGid, manifest.UseTmpfs, manifest.UserMode); err != nil {
return fmt.Errorf("Failed to mount filesystem for secrets: %w", err)
}

Expand Down

0 comments on commit 339a559

Please sign in to comment.