Setup secrets management using agenix
agenix uses age (a utility + standard) that encrypts secrets using ssh key. This simplifies secrets management quite a bit compared to GPG (my attempts for which have failed so far). Changes included: - Encrypt all current keys (mail, backups) using age, configured via agenix - All encrypted keys are committed to git repo and decrypted during boot - None of the keys are used anywhere just yet. They will replace file paths in future commit after testing - Decrypted keys are available after boot under user name with read-only permissions at default agenix location (as of this commit) - The Nix variable path is provided by agenix and can be used instead of having to recreate - multiple keys can be specified for single key, but for now I am only using one For now, the code is dirty and can definitely use improvements. It is just at a place where it is all working right now. TODO: Get age + agenix in environment packages available at runtime in NixOS Links: - https://github.com/ryantm/agenix - https://github.com/hlissner/dotfiles
This commit is contained in:
parent
3caf58ca63
commit
629846a1f9
10 changed files with 104 additions and 3 deletions
3
.gitignore
vendored
3
.gitignore
vendored
|
@ -1,2 +1 @@
|
|||
seecrets/**
|
||||
**/secrets.nix
|
||||
**/secrets/*
|
||||
|
|
|
@ -11,14 +11,20 @@
|
|||
url = "github:nix-community/emacs-overlay";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
agenix = {
|
||||
url = "github:ryantm/agenix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, home-manager, emacs-overlay, ... }: {
|
||||
outputs = { self, nixpkgs, home-manager, emacs-overlay, agenix, ... }: {
|
||||
nixosConfigurations = {
|
||||
enterprise = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
./hosts/enterprise/configuration.nix
|
||||
./modules/agenix.nix
|
||||
agenix.nixosModules.age
|
||||
(import ./nix.nix)
|
||||
(import ./hosts/enterprise/sound.nix)
|
||||
(import ./hosts/enterprise/backup.nix)
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dy7D9w IFzyPbRh5LLzYH6vDy83SyKzZDS+qF2MEOenMsNtOnQ
|
||||
lAx+ygintMnPCDl4rr+iDnud/5bQ63gbbZS43Vtzr5Y
|
||||
-> 9M9qX4-grease S`5 jR._GqU {9)a Eub
|
||||
eBZQB13O+P1m4DsTWCN8k6RWpeKcqsg5yfm/8n/CaVfMFACclQ
|
||||
--- PtyjC9OVjUAdkGz111hZsDkEFjcwNtO1BvJhpn/5x3g
|
||||
8p©Ë®ŠÁdÇÜÜŒtL͸kóúî‘Û/{\><3E>ÍOò&”7Åp`–}¸Ñ—°¼?¥kÏ€0Çtò â˜Ï¦re1ÙÃ6>Y*TdÛkÝÕ5ÿ3KpÖ1rœÇ@³« 4ó¶AàÄH7ŒlÛ¥ó´ Í@ð
˜ŠƒV׫Rbà
|
5
hosts/enterprise/secrets/mu4e_gmail.age
Normal file
5
hosts/enterprise/secrets/mu4e_gmail.age
Normal file
|
@ -0,0 +1,5 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dy7D9w yhRM5/w1eepD/nEGCoOzqhN2Ed4WCweQxc5nw90OFFE
|
||||
z9/iOzG+to2rcC60yO7nzI6GgIfvZLjHfJr42SrbxLY
|
||||
--- tiudW9x74CzCHpASjlnHxN8zKekP/2L4HkqtDwRkm5U
|
||||
‹kÊh„ŒA`ŒÑŠ«i¹X±÷´„ Tmøæ‹::¨+W:štÅû±û½â‘û&ýÎì
|
|
@ -0,0 +1,7 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dy7D9w ccKo6iVUtF/88bxSy1B8xnRYBUkbnbi/heOcS0zYEDY
|
||||
Rraz/mFj1fR95kJZRCSJ7SRAQUtgHjOZJi0VvzYGmvk
|
||||
-> ZwkrMG-grease <?G)_dY N !KANB*" -hB+Su(
|
||||
U5LEeJZOBtIWPWGBEQ
|
||||
--- yE1a37Lu918LVJumhD9gYvxWb/6OweXzYrOeoC+tnp8
|
||||
ã_×ñæ<C3B1>â¢6Ñép4äÕ·Æ‹Þ,«ïÆ}Zf‘?OZÞ£;Ä5§›dCÖ×_ÄkÂ"dcÓ@ÛC¹Ê±@Bž<42>B›lËižum)±P?¢Ç—²·yÍ0ð(!¢Ëô]â=3‰îæ!I‡{Cúö˜ªêž.kcÛ}»¾<C2BB>ò|í·hàá®
|
8
hosts/enterprise/secrets/org_relekarpayas_onedrive.age
Normal file
8
hosts/enterprise/secrets/org_relekarpayas_onedrive.age
Normal file
|
@ -0,0 +1,8 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dy7D9w 5OnF9DkSjroG96Q88oo04Q1EINi3wcN/vfyzKALrMww
|
||||
kBc2w/X+Od+ouik4AsH7YZlNoZGPfWGt1NXUip9yfwY
|
||||
-> g(-grease A
|
||||
zT177g
|
||||
--- JFz13LrERcGNmpmtjp9IK92FDyAUpxK00Kal7CsYyZ8
|
||||
ñþºÆÅn_1ÙH"ž›Q[2Àvh%ê¾E…AînÀԜͥIáÏE@Í¿s†,Ÿ4]\FÂ[”jöÈ`oÓ¼=}…~®g>•ÈPÎHÈÃ
|
||||
e>'¶FÚø÷ÿÞ™·C¹¯'@ðV;ŒÞš¸ÖÛSc$Љ@˜`/›E|Uà’aƒtì“
|
10
hosts/enterprise/secrets/secrets.nix
Normal file
10
hosts/enterprise/secrets/secrets.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPziuF0B4Vj/W434rpshcvQu2KieXjGc8HnwymLapyLu nixos@enterprise";
|
||||
in
|
||||
{
|
||||
"maildir_relekarpayas_onedrive.age".publicKeys = [ key ];
|
||||
"syncthing_relekarpayas_googledrive.age".publicKeys = [ key ];
|
||||
"syncthing_relekarpayas_onedrive.age".publicKeys = [ key ];
|
||||
"org_relekarpayas_googledrive.age".publicKeys = [ key ];
|
||||
"org_relekarpayas_onedrive.age".publicKeys = [ key ];
|
||||
"mu4e_gmail.age".publicKeys = [ key ];
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dy7D9w O2oC8+mG4ddds/vWrEgoKcH/08Uf+Asb+5IMvHFaC04
|
||||
zTptkB7UdU0BGm2tOUTjllYHsv3tEkt+k61VgyCnnZw
|
||||
-> A$-grease 2MWD =a@~f
|
||||
h1ff7UE4JFUCf2hRMDEBnOrsvbEztceDSaMVTyzzzsf+D9TYLeA7Liv8zJuOu1PV
|
||||
pTCXhpWqO0Th9ol9fJc3eQ7MxuiGOSGm6H65HPIjgxWJNSLmNg
|
||||
--- vbumS83Qmuc1aOt0o7Rut1P5kSVix/AKL7SLJBKVD6A
|
||||
-›:VÅøhN¡Õëüû41þž¨N<ÃY´ãirò
|
||||
€uÏß<EFBFBD>Â'q#P—xJLd‰ë9v:4äŽ7rpÝ&º\<5C>CÒ]=ê
9uWÙÍ÷…r£¹ñÆkdÇ>+ç@·!ÍÞy@W“o$ñ<>þ|(žD¨4G0&ýÔÝ¡
|
|
@ -0,0 +1,9 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 dy7D9w cC14jHh4xEnU4ytYVPvsHFItTP32ejCva6JIfyL7yCg
|
||||
OynqzGM3787awMhBuUuSq3+LNiw8BQbQzPDH3fx08aU
|
||||
-> 1}N-grease 63VK8 ' \ S=if
|
||||
ZACSbwxOec//qcHEPOWoc9lTTcf6eIK2g2Bw4xXjqYD5/F08jXx5By4REgLsvg7h
|
||||
jzGImN08q5msOunmJNlc5AV2lWvUVU7860sn/5ZLJQ5/F9G5Rl2fK7xs
|
||||
--- 8m6Tz3ExeYuw/IiMYJu3jGbTqhQNaKXNc7Y6BIDQuxc
|
||||
Fgî);ÐÍCd<43><64>Ó=gA/"´¥:ë-Ã
]ºº@XñgOÌ2j…Ÿ=«Ø7,ð”WäãŠ?påd´Dæßÿ_ÙëI†Ÿ<07>qVóóÝ®°‹‘nzù¢í‹œ—<C593>è!y[i’hC¨f³\Ãú@AL_©R+\ÅýNCK<43>?Q÷
|
||||
íã
|
41
modules/agenix.nix
Normal file
41
modules/agenix.nix
Normal file
|
@ -0,0 +1,41 @@
|
|||
{ config, options, agenix, lib, pkgs, ... }:
|
||||
|
||||
# copied pretty much verbatim from hlissner's dotfiles repo:
|
||||
# https://github.com/hlissner/dotfiles/blob/4539d607778820cd6fd97b6c81c1cfcd6cb7e226/modules/agenix.nix
|
||||
#
|
||||
# I get the idea and understand what the code does, but it will probably take a while to fully write
|
||||
# something like this myself
|
||||
|
||||
with builtins;
|
||||
with lib;
|
||||
let
|
||||
secretsDir = "${toString ../hosts}/enterprise/secrets";
|
||||
secretsFile = "${secretsDir}/secrets.nix";
|
||||
payas = "payas";
|
||||
in
|
||||
{
|
||||
# imports = [ agenix.nixosModules.age ];
|
||||
|
||||
# TODO: Find a way to make agenix available in the runtime NixOS evaluation
|
||||
# environment.systemPackages = [ agenix.defaultPackage.x86_64-linux ];
|
||||
|
||||
age = {
|
||||
secrets =
|
||||
if pathExists secretsFile
|
||||
then
|
||||
mapAttrs'
|
||||
(n: _: nameValuePair (removeSuffix ".age" n)
|
||||
{
|
||||
file = "${secretsDir}/${n}";
|
||||
owner = payas;
|
||||
})
|
||||
(import secretsFile)
|
||||
else
|
||||
{ };
|
||||
identityPaths =
|
||||
[
|
||||
"/home/payas/.ssh/id_ed25519"
|
||||
# "/home/payas/.ssh/id_rsa"
|
||||
];
|
||||
};
|
||||
}
|
Reference in a new issue