Setup secrets management using agenix

agenix uses age (a utility + standard) that encrypts secrets using ssh key. This simplifies secrets management quite a bit compared to GPG (my attempts for which have failed so far). Changes included: - Encrypt all current keys (mail, backups) using age, configured via agenix - All encrypted keys are committed to git repo and decrypted during boot - None of the keys are used anywhere just yet. They will replace file paths in future commit after testing - Decrypted keys are available after boot under user name with read-only permissions at default agenix location (as of this commit) - The Nix variable path is provided by agenix and can be used instead of having to recreate - multiple keys can be specified for single key, but for now I am only using one For now, the code is dirty and can definitely use improvements. It is just at a place where it is all working right now. TODO: Get age + agenix in environment packages available at runtime in NixOS Links: - https://github.com/ryantm/agenix - https://github.com/hlissner/dotfiles
2022-02-22 03:01:29 +05:30 · 2022-02-22 03:01:29 +05:30 · 629846a1f9
commit 629846a1f9
parent 3caf58ca63
10 changed files with 104 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1 @@
-seecrets/**
-**/secrets.nix
+**/secrets/*
--- a/flake.nix
+++ b/flake.nix
@ -11,14 +11,20 @@
      url = "github:nix-community/emacs-overlay";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

-  outputs = { self, nixpkgs, home-manager, emacs-overlay, ... }: {
+  outputs = { self, nixpkgs, home-manager, emacs-overlay, agenix, ... }: {
    nixosConfigurations = {
      enterprise = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./hosts/enterprise/configuration.nix
+          ./modules/agenix.nix
+          agenix.nixosModules.age
          (import ./nix.nix)
          (import ./hosts/enterprise/sound.nix)
          (import ./hosts/enterprise/backup.nix)
--- a/hosts/enterprise/secrets/maildir_relekarpayas_onedrive.age
+++ b/hosts/enterprise/secrets/maildir_relekarpayas_onedrive.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 dy7D9w IFzyPbRh5LLzYH6vDy83SyKzZDS+qF2MEOenMsNtOnQ
+lAx+ygintMnPCDl4rr+iDnud/5bQ63gbbZS43Vtzr5Y
+-> 9M9qX4-grease S`5 jR._GqU {9)a Eub
+eBZQB13O+P1m4DsTWCN8k6RWpeKcqsg5yfm/8n/CaVfMFACclQ
+--- PtyjC9OVjUAdkGz111hZsDkEFjcwNtO1BvJhpn/5x3g
+8p©Ë®ŠÁdÇÜÜŒtLÍ¸kóúî‘Û/{\><3E>ÍOò&”7Åp`–}¸Ñ—°¼?¥kÏ€0Çtò â˜Ï¦re1ÙÃ6>Y*TdÛkÝÕ5ÿ3KpÖ1rœÇ@³« 4ó¶AàÄH7ŒlÛ¥ó´ Í@ð
˜ŠƒV×«Rbà
--- a/hosts/enterprise/secrets/mu4e_gmail.age
+++ b/hosts/enterprise/secrets/mu4e_gmail.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 dy7D9w yhRM5/w1eepD/nEGCoOzqhN2Ed4WCweQxc5nw90OFFE
+z9/iOzG+to2rcC60yO7nzI6GgIfvZLjHfJr42SrbxLY
+--- tiudW9x74CzCHpASjlnHxN8zKekP/2L4HkqtDwRkm5U
+‹kÊh„ŒA`ŒÑŠ«i¹X±÷´„ Tmøæ‹::¨+W:štÅû±û½â‘û&ýÎì
--- a/hosts/enterprise/secrets/org_relekarpayas_googledrive.age
+++ b/hosts/enterprise/secrets/org_relekarpayas_googledrive.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 dy7D9w ccKo6iVUtF/88bxSy1B8xnRYBUkbnbi/heOcS0zYEDY
+Rraz/mFj1fR95kJZRCSJ7SRAQUtgHjOZJi0VvzYGmvk
+-> ZwkrMG-grease <?G)_dY N !KANB*" -hB+Su(
+U5LEeJZOBtIWPWGBEQ
+--- yE1a37Lu918LVJumhD9gYvxWb/6OweXzYrOeoC+tnp8
+ã_×ñæ<C3B1>â¢6Ñép4äÕ·Æ‹Þ,«ïÆ}Zf‘?OZÞ£;Ä5§›dCÖ×_ÄkÂ"dcÓ@ÛC¹Ê±@Bž<42>B›lËižum)±P?¢Ç—²·yÍ0ð(!¢Ëô]â=3‰îæ!I‡{Cúö˜ªêž.kcÛ}»¾<C2BB>ò|í·hàá®
--- a/hosts/enterprise/secrets/org_relekarpayas_onedrive.age
+++ b/hosts/enterprise/secrets/org_relekarpayas_onedrive.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 dy7D9w 5OnF9DkSjroG96Q88oo04Q1EINi3wcN/vfyzKALrMww
+kBc2w/X+Od+ouik4AsH7YZlNoZGPfWGt1NXUip9yfwY
+-> g(-grease A
+zT177g
+--- JFz13LrERcGNmpmtjp9IK92FDyAUpxK00Kal7CsYyZ8
+ñþºÆÅn_1ÙH"ž›Q[2Àvh%ê¾E…AînÀÔœÍ¥IáÏE@Í¿s†,Ÿ4]\FÂ[”jöÈ`oÓ¼=}…~®g>•ÈPÎHÈÃ
+e>'¶FÚø÷ÿÞ™·C¹¯'@ðV;ŒÞš¸ÖÛSc$Ð‰@˜`/›E|Uà’aƒtì“
--- a/hosts/enterprise/secrets/secrets.nix
+++ b/hosts/enterprise/secrets/secrets.nix
@ -0,0 +1,10 @@
+let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPziuF0B4Vj/W434rpshcvQu2KieXjGc8HnwymLapyLu nixos@enterprise";
+in
+{
+  "maildir_relekarpayas_onedrive.age".publicKeys = [ key ];
+  "syncthing_relekarpayas_googledrive.age".publicKeys = [ key ];
+  "syncthing_relekarpayas_onedrive.age".publicKeys = [ key ];
+  "org_relekarpayas_googledrive.age".publicKeys = [ key ];
+  "org_relekarpayas_onedrive.age".publicKeys = [ key ];
+  "mu4e_gmail.age".publicKeys = [ key ];
+}
--- a/hosts/enterprise/secrets/syncthing_relekarpayas_googledrive.age
+++ b/hosts/enterprise/secrets/syncthing_relekarpayas_googledrive.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 dy7D9w O2oC8+mG4ddds/vWrEgoKcH/08Uf+Asb+5IMvHFaC04
+zTptkB7UdU0BGm2tOUTjllYHsv3tEkt+k61VgyCnnZw
+-> A$-grease 2MWD =a@~f
+h1ff7UE4JFUCf2hRMDEBnOrsvbEztceDSaMVTyzzzsf+D9TYLeA7Liv8zJuOu1PV
+pTCXhpWqO0Th9ol9fJc3eQ7MxuiGOSGm6H65HPIjgxWJNSLmNg
+--- vbumS83Qmuc1aOt0o7Rut1P5kSVix/AKL7SLJBKVD6A
+-›:VÅøhN¡Õëüû41þž¨N<ÃY´ãirò
+€uÏß<EFBFBD>Â'q#P—xJLd‰ë9v:4äŽ7rpÝ&º\<5C>CÒ]=ê
9uWÙÍ÷…r£¹ñÆkdÇ>+ç@·!ÍÞy@W“o$ñ<>þ|(žD¨4G0&ýÔÝ¡
--- a/hosts/enterprise/secrets/syncthing_relekarpayas_onedrive.age
+++ b/hosts/enterprise/secrets/syncthing_relekarpayas_onedrive.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 dy7D9w cC14jHh4xEnU4ytYVPvsHFItTP32ejCva6JIfyL7yCg
+OynqzGM3787awMhBuUuSq3+LNiw8BQbQzPDH3fx08aU
+-> 1}N-grease 63VK8 ' \ S=if
+ZACSbwxOec//qcHEPOWoc9lTTcf6eIK2g2Bw4xXjqYD5/F08jXx5By4REgLsvg7h
+jzGImN08q5msOunmJNlc5AV2lWvUVU7860sn/5ZLJQ5/F9G5Rl2fK7xs
+--- 8m6Tz3ExeYuw/IiMYJu3jGbTqhQNaKXNc7Y6BIDQuxc
+Fgî);ÐÍCd<43><64>Ó=gA/"´¥:ë-Ã
]ºº@XñgOÌ2j…Ÿ=«Ø7,ð”WäãŠ?påd´Dæßÿ_ÙëI†Ÿ<07>qVóóÝ®°‹‘nzù¢í‹œ—<C593>è!y[i’hC¨f³\Ãú@AL_©R+\ÅýNCK<43>?Q÷
+íã
--- a/modules/agenix.nix
+++ b/modules/agenix.nix
@ -0,0 +1,41 @@
+{ config, options, agenix, lib, pkgs, ... }:
+
+# copied pretty much verbatim from hlissner's dotfiles repo:
+# https://github.com/hlissner/dotfiles/blob/4539d607778820cd6fd97b6c81c1cfcd6cb7e226/modules/agenix.nix
+#
+# I get the idea and understand what the code does, but it will probably take a while to fully write
+# something like this myself
+
+with builtins;
+with lib;
+let
+  secretsDir = "${toString ../hosts}/enterprise/secrets";
+  secretsFile = "${secretsDir}/secrets.nix";
+  payas = "payas";
+in
+{
+  # imports = [ agenix.nixosModules.age ];
+
+  # TODO: Find a way to make agenix available in the runtime NixOS evaluation
+  # environment.systemPackages = [ agenix.defaultPackage.x86_64-linux ];
+
+  age = {
+    secrets =
+      if pathExists secretsFile
+      then
+        mapAttrs'
+          (n: _: nameValuePair (removeSuffix ".age" n)
+            {
+              file = "${secretsDir}/${n}";
+              owner = payas;
+            })
+          (import secretsFile)
+      else
+        { };
+    identityPaths =
+      [
+        "/home/payas/.ssh/id_ed25519"
+        # "/home/payas/.ssh/id_rsa"
+      ];
+  };
+}