|
| 1 | +--- |
| 2 | +feature: private-derivations |
| 3 | +start-date: 2023-02-03 |
| 4 | +author: poscat |
| 5 | +co-authors: (find a buddy later to help out with the RFC) |
| 6 | +shepherd-team: (names, to be nominated and accepted by RFC steering committee) |
| 7 | +shepherd-leader: (name to be appointed by RFC steering committee) |
| 8 | +related-issues: (will contain links to implementation PRs) |
| 9 | +--- |
| 10 | + |
| 11 | +# Summary |
| 12 | +[summary]: #summary |
| 13 | + |
| 14 | +This RFC proposes to add a special type of derivation called private derivation, which, upon being built, will have their file permissions set to 000 instead of the usual 444. |
| 15 | + |
| 16 | +# Motivation |
| 17 | +[motivation]: #motivation |
| 18 | + |
| 19 | +In short: This RFC mainly concerns with how to safely store credentials on NixOS. |
| 20 | + |
| 21 | +The world readability of nix store means that, to safely store credentials, they must be first somehow be encrypted before written into the store. They also need to be decrypted before the services are started. |
| 22 | + |
| 23 | +This is less than ideal because one needs to setup a key (which is stored as plaintext on disk) on every machine just to prevent unauthorized users from seeting the credentials. |
| 24 | + |
| 25 | +Furthermore, if encryption is done before the evaluation of the system configuration (as is the case with [agenix](https://github.com/ryantm/agenix) and [sops-nix](https://github.com/Mic92/sops-nix)), then the nixos module system cannot be utilized to generate configs that contain credentials and one must write them manually. |
| 26 | + |
| 27 | +All of this can be prevented if we added the ability to make derivation outputs as not readable by anyone other than root, by setting the file mode to 111 (directories) or 000 (files). We can then use a trustworthy credential manager, for example systemd with its `LoadCredential=`, to distribute these derivations to the consumers safely. |
| 28 | + |
| 29 | +# Detailed design |
| 30 | +[design]: #detailed-design |
| 31 | + |
| 32 | +We propose adding a `noReadAccess` option to `builtins.derivation`, which, when set to true, makes this derivation a private derivation. Relevant changes should also be made in nix-instantiate and nix-daemon to understand this attribute. |
| 33 | + |
| 34 | +# Examples and Interactions |
| 35 | +[examples-and-interactions]: #examples-and-interactions |
| 36 | + |
| 37 | +TBA |
| 38 | + |
| 39 | +# Drawbacks |
| 40 | +[drawbacks]: #drawbacks |
| 41 | + |
| 42 | +- Adding private derivations further complicates the nix store model. |
| 43 | + |
| 44 | +# Alternatives |
| 45 | +[alternatives]: #alternatives |
| 46 | + |
| 47 | +An alternative would be to support more complicated ACLs as described in [this](https://github.com/NixOS/nix/issues/8) Nix issue. |
| 48 | + |
| 49 | +# Unresolved questions |
| 50 | +[unresolved]: #unresolved-questions |
| 51 | + |
| 52 | +It is not yet known how this might interact with content addressed paths. |
| 53 | + |
| 54 | +# Future work |
| 55 | +[future]: #future-work |
| 56 | + |
| 57 | +What future work, if any, would be implied or impacted by this feature |
| 58 | +without being directly part of the work? |
0 commit comments