Merge #279
279: Agenix integration r=blaggacao a=Pacman99 AFAICT This is mostly a documentation thing. But with divnix/devlib#2 we can now add agenix to the devshell. Co-authored-by: Pacman99 <pachum99@gmail.com>
This commit is contained in:
commit
da9f14cab2
7 changed files with 155 additions and 10 deletions
110
doc/secrets.md
110
doc/secrets.md
|
@ -1,18 +1,110 @@
|
||||||
# Secrets
|
# Secrets
|
||||||
Secrets are managed using [git-crypt][git-crypt] so you can keep your flake in
|
Secrets are managed using [git-crypt][git-crypt] and [agenix][agenix]
|
||||||
a public repository like GitHub without exposing your password or other
|
so you can keep your flake in a public repository like GitHub without
|
||||||
sensitive data.
|
exposing your password or other sensitive data.
|
||||||
|
|
||||||
By default, everything in the secrets folder is automatically encrypted. Just
|
By default, everything in the secrets folder is automatically encrypted. Just
|
||||||
be sure to run `git-crypt init` before putting anything in here.
|
be sure to run `git-crypt init` before putting anything in here.
|
||||||
|
|
||||||
|
## Agenix
|
||||||
|
Currently, there is [no mechanism][secrets-issue] in nix itself to deploy secrets
|
||||||
|
within the nix store because it is world-readable.
|
||||||
|
|
||||||
|
Most NixOS modules have the ability to set options to files in the system, outside
|
||||||
|
the nix store, that contain sensitive information. You can use [agenix][agenix]
|
||||||
|
to easily setup those secret files declaratively.
|
||||||
|
|
||||||
|
[agenix][agenix] encrypts secrets and stores them as .age files in your repository.
|
||||||
|
Age files are encrypted with multiple ssh public keys, so any host or user with a
|
||||||
|
matching ssh private key can read the data. The [age module][age module] will add those
|
||||||
|
encrypted files to the nix store and decrypt them on activation to `/run/secrets`.
|
||||||
|
|
||||||
|
### Setup
|
||||||
|
All hosts must have openssh enabled, this is done by default in the core profile.
|
||||||
|
|
||||||
|
You need to populate your `secrets/secrets.nix` with the proper ssh public keys.
|
||||||
|
Be extra careful to make sure you only add public keys, you should never share a
|
||||||
|
private key!!
|
||||||
|
|
||||||
|
secrets/secrets.nix:
|
||||||
|
```nix
|
||||||
|
let
|
||||||
|
system = "<system ssh key>";
|
||||||
|
user = "<user ssh key>";
|
||||||
|
allKeys = [ system user ];
|
||||||
|
in
|
||||||
|
```
|
||||||
|
|
||||||
|
On most systems, you can get your systems ssh public key from `/etc/ssh/ssh_host_ed25519_key.pub`. If
|
||||||
|
this file doesn't exist you likely need to enable openssh and rebuild your system.
|
||||||
|
|
||||||
|
Your users ssh public key is probably stored in `~/.ssh/id_ed25519.pub` or
|
||||||
|
`~/.ssh/id_rsa.pub`. If you haven't generated a ssh key yet, be sure do so:
|
||||||
|
```sh
|
||||||
|
ssh-keygen -t ed25519
|
||||||
|
```
|
||||||
|
|
||||||
> ##### _Note:_
|
> ##### _Note:_
|
||||||
> Currently, there is [no mechanism][secrets-issue] in nix to deploy secrets
|
> The underlying tool used by agenix, rage, doesn't work well with password protected
|
||||||
> within the nix/store so, if they end up in the nix/store after deployment, they
|
> ssh keys. So if you have lots of secrets you might have to type in your password many
|
||||||
> will be world readable on that machine.
|
> times.
|
||||||
>
|
|
||||||
> The author of devos intends to implement a workaround for this situation in
|
|
||||||
> the near future, but for the time being, simple be aware of this.
|
### Secrets
|
||||||
|
You will need the `agenix` command to create secrets. DevOS conveniently provides that
|
||||||
|
in the devShell, so just run `nix develop` whenever you want to edit secrets. Make sure
|
||||||
|
to always run `agenix` while in the `secrets/` folder, so it can pick up your `secrets.nix`.
|
||||||
|
|
||||||
|
To create secrets, simply add lines to your `secrets/secrets.nix`:
|
||||||
|
```
|
||||||
|
let
|
||||||
|
...
|
||||||
|
allKeys = [ system user ];
|
||||||
|
in
|
||||||
|
{
|
||||||
|
"secret.age".publicKeys = allKeys;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
That would tell agenix to create a `secret.age` file that is encrypted with the `system`
|
||||||
|
and `user` ssh public key.
|
||||||
|
|
||||||
|
Then go into the `secrets` folder and run:
|
||||||
|
```sh
|
||||||
|
agenix -e secret.age
|
||||||
|
```
|
||||||
|
This will create the `secret.age`, if it doesn't already exist, and allow you to edit it.
|
||||||
|
|
||||||
|
If you ever change the `publicKeys` entry of any secret make sure to rekey the secrets:
|
||||||
|
```sh
|
||||||
|
agenix --rekey
|
||||||
|
```
|
||||||
|
|
||||||
|
### Usage
|
||||||
|
Once you have your secret file encrypted and ready to use, you can utilize the [age module][age module]
|
||||||
|
to ensure that your secrets end up in `/run/secrets`.
|
||||||
|
|
||||||
|
In any profile that uses a NixOS module that requires a secret you can enable a particular secret like so:
|
||||||
|
|
||||||
|
```nix
|
||||||
|
{ self, ... }:
|
||||||
|
{
|
||||||
|
age.secrets.mysecret.file = "${self}/secrets/mysecret.age";
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
Then you can just pass the path `/run/secrets/mysecret` to the module.
|
||||||
|
|
||||||
|
You can make use of the many options provided by the age module to customize where and how
|
||||||
|
secrets get decrypted. You can learn about them by looking at the
|
||||||
|
[age module][age module].
|
||||||
|
|
||||||
|
|
||||||
|
> ##### _Note:_
|
||||||
|
> You can take a look at the [agenix repository][agenix] for more information
|
||||||
|
> about the tool.
|
||||||
|
|
||||||
[git-crypt]: https://github.com/AGWA/git-crypt
|
[git-crypt]: https://github.com/AGWA/git-crypt
|
||||||
|
[agenix]: https://github.com/ryantm/agenix
|
||||||
|
[age module]: https://github.com/ryantm/agenix/blob/master/modules/age.nix
|
||||||
[secrets-issue]: https://github.com/NixOS/nix/issues/8
|
[secrets-issue]: https://github.com/NixOS/nix/issues/8
|
||||||
|
|
21
flake.lock
21
flake.lock
|
@ -1,5 +1,25 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
|
"agenix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"latest"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1620877075,
|
||||||
|
"narHash": "sha256-XvgTqtmQZHegu9UMDSR50gK5cHEM2gbnRH0qecmdN54=",
|
||||||
|
"owner": "ryantm",
|
||||||
|
"repo": "agenix",
|
||||||
|
"rev": "e543aa7d68f222e1e771165da9e9a64b5bf7b3e3",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "ryantm",
|
||||||
|
"repo": "agenix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"ci-agent": {
|
"ci-agent": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat",
|
"flake-compat": "flake-compat",
|
||||||
|
@ -352,6 +372,7 @@
|
||||||
},
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
|
"agenix": "agenix",
|
||||||
"ci-agent": "ci-agent",
|
"ci-agent": "ci-agent",
|
||||||
"darwin": "darwin",
|
"darwin": "darwin",
|
||||||
"digga": "digga",
|
"digga": "digga",
|
||||||
|
|
17
flake.nix
17
flake.nix
|
@ -17,13 +17,26 @@
|
||||||
home.inputs.nixpkgs.follows = "nixos";
|
home.inputs.nixpkgs.follows = "nixos";
|
||||||
naersk.url = "github:nmattia/naersk";
|
naersk.url = "github:nmattia/naersk";
|
||||||
naersk.inputs.nixpkgs.follows = "latest";
|
naersk.inputs.nixpkgs.follows = "latest";
|
||||||
|
agenix.url = "github:ryantm/agenix";
|
||||||
|
agenix.inputs.nixpkgs.follows = "latest";
|
||||||
nixos-hardware.url = "github:nixos/nixos-hardware";
|
nixos-hardware.url = "github:nixos/nixos-hardware";
|
||||||
|
|
||||||
pkgs.url = "path:./pkgs";
|
pkgs.url = "path:./pkgs";
|
||||||
pkgs.inputs.nixpkgs.follows = "nixos";
|
pkgs.inputs.nixpkgs.follows = "nixos";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = inputs@{ self, pkgs, digga, nixos, ci-agent, home, nixos-hardware, nur, ... }:
|
outputs =
|
||||||
|
{ self
|
||||||
|
, pkgs
|
||||||
|
, digga
|
||||||
|
, nixos
|
||||||
|
, ci-agent
|
||||||
|
, home
|
||||||
|
, nixos-hardware
|
||||||
|
, nur
|
||||||
|
, agenix
|
||||||
|
, ...
|
||||||
|
} @ inputs:
|
||||||
digga.lib.mkFlake {
|
digga.lib.mkFlake {
|
||||||
inherit self inputs;
|
inherit self inputs;
|
||||||
|
|
||||||
|
@ -36,6 +49,7 @@
|
||||||
./pkgs/default.nix
|
./pkgs/default.nix
|
||||||
pkgs.overlay # for `srcs`
|
pkgs.overlay # for `srcs`
|
||||||
nur.overlay
|
nur.overlay
|
||||||
|
agenix.overlay
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
latest = { };
|
latest = { };
|
||||||
|
@ -60,6 +74,7 @@
|
||||||
{ _module.args.ourLib = self.lib; }
|
{ _module.args.ourLib = self.lib; }
|
||||||
ci-agent.nixosModules.agent-profile
|
ci-agent.nixosModules.agent-profile
|
||||||
home.nixosModules.home-manager
|
home.nixosModules.home-manager
|
||||||
|
agenix.nixosModules.age
|
||||||
./modules/customBuilds.nix
|
./modules/customBuilds.nix
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
|
@ -8,6 +8,7 @@ channels: final: prev: {
|
||||||
discord
|
discord
|
||||||
element-desktop
|
element-desktop
|
||||||
manix
|
manix
|
||||||
|
rage
|
||||||
nixpkgs-fmt
|
nixpkgs-fmt
|
||||||
qutebrowser
|
qutebrowser
|
||||||
signal-desktop
|
signal-desktop
|
||||||
|
|
|
@ -143,6 +143,12 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# For rage encryption, all hosts need a ssh key pair
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
openFirewall = lib.mkDefault false;
|
||||||
|
};
|
||||||
|
|
||||||
services.earlyoom.enable = true;
|
services.earlyoom.enable = true;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
1
secrets/.gitattributes
vendored
1
secrets/.gitattributes
vendored
|
@ -1,3 +1,4 @@
|
||||||
* filter=git-crypt diff=git-crypt
|
* filter=git-crypt diff=git-crypt
|
||||||
.gitattributes !filter !diff
|
.gitattributes !filter !diff
|
||||||
|
secrets.nix !filter !diff
|
||||||
README.md !filter !diff
|
README.md !filter !diff
|
||||||
|
|
9
secrets/secrets.nix
Normal file
9
secrets/secrets.nix
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
let
|
||||||
|
# set ssh public keys here for your system and user
|
||||||
|
system = "";
|
||||||
|
user = "";
|
||||||
|
allKeys = [ system user ];
|
||||||
|
in
|
||||||
|
{
|
||||||
|
"secret.age".publicKeys = allKeys;
|
||||||
|
}
|
Loading…
Reference in a new issue