Share secrets between servers and clients using sops-nix

munnik · April 26, 2025, 7:04am

I’m building a nix configuration for our servers and clients (IoT) devices. For secrets, I’m using nix-sops which works great. Some of the secrets need to be shared between (on of) the servers and a client. I’m wondering what is the best approach to do this.

Currently, I have a separate secrets.yaml file for each host (servers and clients) to store the secrets. Now I want to setup Mosquitto (MQTT server) and have an account for each client on it. I’m thinking to create a password in the secrets.yaml file for each client. Then for the server I collect all the passwords and generate the pwfile and aclfile for Mosquitto. I did something similar for Wireguard but then I only had to collect the public keys that were stored in regular nix files.

Is this a common pattern for sharing passwords between hosts, are there any examples or better ways to achieve this?

munnik · April 26, 2025, 12:40pm

I tried:

{ config, self, lib, ... }: {
  services.mosquitto = {
    enable = true;
    listeners = [{
      inherit (config.services.sumo-wireguard-new) address;
      acl = [
        "pattern write vessels/urn:mrn:imo:mmsi:%u/#"
        "pattern read request/vessels.urn:mrn:imo:mmsi:%u"
        "pattern write respond/vessels.urn:mrn:imo:mmsi:%u"
      ];
      users = {
        "munnik" = {
          password = "test";
          acl =
            [ "read vessels/#" "readwrite request/#" "readwrite respond/#" ];
        };
      } // builtins.listToAttrs (lib.attrsets.mapAttrsToList
        (name: systemConfig: {
          inherit name;
          value = {
            passwordFile = systemConfig.config.sops.secrets.mosquittoPassword.path;
            acl = [ "read vessels/#" "write request/#" "read respond/#" ];
          };
        }) (lib.filterAttrs 
          (_: systemConfig: systemConfig.config.sops.secrets ? "mosquittoPassword")
          self.nixosConfigurations));
    }];
  };
}

Then the following /nix/store/h9bdi9dh6syqfsr04kpslr4w68iw0j2r-make-mosquitto-passwd file is created, but it fails:

#! /nix/store/8vpg72ik2kgxfj05lc56hkqrdrfl8xi9-bash-5.2p37/bin/bash

set -eu

file=/var/lib/mosquitto/passwd-0

rm -f "$file"
touch "$file"

addLine() {
  echo "$1:$2" >> "$file"
}
addFile() {
  if [ $(wc -l <"$2") -gt 1 ]; then
    echo "invalid mosquitto password file $2" >&2
    return 1
  fi
  echo "$1:$(cat "$2")" >> "$file"
}
addLine munnik "$(systemd-creds cat listener-0-user-1-password)"
addFile hetzner-otap01 "${CREDENTIALS_DIRECTORY}/listener-0-user-0-passwordFile"
addFile node-hbr-rpa10 "${CREDENTIALS_DIRECTORY}/listener-0-user-2-passwordFile"
addFile node-rct-lindengracht "${CREDENTIALS_DIRECTORY}/listener-0-user-3-passwordFile"
addFile node-test "${CREDENTIALS_DIRECTORY}/listener-0-user-4-passwordFile"
addFile rdm-otap01 "${CREDENTIALS_DIRECTORY}/listener-0-user-5-passwordFile"
/nix/store/zlgzqsrim6dv6i3bjzajjjzfk8jddxh2-mosquitto-2.0.20/bin/mosquitto_passwd -U "$file"