starred/nix-config-ryan4yin
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-01-11 22:30:25 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity

feat: agenix - use the system's host ssh key for cryption

Browse Source
This commit is contained in:
Ryan Yin
2024-01-26 20:52:16 +08:00
parent d1cdddc9ca
commit 7f72a0612b
5 changed files with 152 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
flake.lock generated
View File

@@ -515,10 +515,10 @@
"mysecrets": {
"flake": false,
"locked": {
"lastModified": 1706264692,
"narHash": "sha256-xgYP84Knm2JmEYttJ1N3DfJBTNNJ82klRmBtzlZLuog=",
"lastModified": 1706277557,
"narHash": "sha256-eDVEacTs1ifdTR6DZGDb9RoRR0V4dAZCK7SBWtLB+Zw=",
"ref": "refs/heads/main",
"rev": "17fdfb68739c474d0cb25906c77b33553b033a6a",
"rev": "75d7db5fca64885cac9dc58ba5fb1c3498ecb96e",
"shallow": true,
"type": "git",
"url": "ssh://git@github.com/ryan4yin/nix-secrets.git"

3
hosts/idols_ai/home.nix
View File

@@ -21,8 +21,7 @@
enable = true;
extraConfig = ''
Host github.com
# github is controlled by gluttony~
IdentityFile ~/.ssh/gluttony
IdentityFile ~/.ssh/idols-ai
# Specifies that ssh should only use the identity file explicitly configured above
# required to prevent sending default identity files first.
IdentitiesOnly yes

4
modules/base.nix
View File

@@ -13,7 +13,7 @@
users.users.${username} = {
description = userfullname;
# Public Keys that can be used to login to all my PCs, Macbooks, and servers.
#
#
# Since its authority is so large, we must strengthen its security:
# 1. The corresponding private key must be:
# 1. Generated locally on every trusted client via:
@@ -26,6 +26,8 @@
# 2. Or just use hardware security keys like Yubikey/CanoKey.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoa9uEI/gR5+klqTQwvCgD6CD5vT5iD9YCNx2xNrH3B ryan@fern"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwZ9MdotnyhxIJrI4gmVshExHiZOx+FGFhcW7BaYkfR ryan@harmonica"
""
];
};

99
secrets/darwin.nix
View File

@@ -16,44 +16,79 @@
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
age.identityPaths = [
"/Users/${username}/.ssh/juliet-age" # macOS
# Generate manually via `sudo ssh-keygen -A`
"/etc/ssh/ssh_host_ed25519_key" # macOS, using the host key for decryption
];
age.secrets = {
"wg-business.conf" = {
file = "${mysecrets}/wg-business.conf.age";
owner = username;
};
"ssh-key-romantic" = {
file = "${mysecrets}/ssh-key-romantic.age";
mode = "0600";
owner = username;
};
"ryan4yin-gpg-subkeys.priv" = {
file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
# owner = root
age.secrets = let
noaccess = {
mode = "0000";
owner = "root";
};
high_security = {
mode = "0500";
owner = "root";
};
user_readable = {
mode = "0500";
owner = username;
};
in {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
"ryan4yin-gpg-subkeys.priv" =
{
file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
}
// noaccess;
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
// high_security;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# alias-for-work
"alias-for-work.nushell" = {
file = "${mysecrets}/alias-for-work.nushell.age";
mode = "0600";
owner = username;
};
"alias-for-work.bash" = {
file = "${mysecrets}/alias-for-work.bash.age";
mode = "0600";
owner = username;
};
"alias-for-work.nushell" =
{
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
"nix-access-tokens" = {
file = "${mysecrets}/nix-access-tokens.age";
mode = "0600";
owner = username;
};
"alias-for-work.bash" =
{
file = "${mysecrets}/alias-for-work.bash.age";
}
// user_readable;
};
# place secrets in /etc/
@@ -64,6 +99,10 @@
source = config.age.secrets."wg-business.conf".path;
};
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
"agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path;
};

113
secrets/nixos.nix
View File

@@ -18,51 +18,86 @@
age.identityPaths = [
# To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
"/persistent/home/${username}/.ssh/juliet-age" # Linux
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
];
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
age.secrets."smb-credentials" = {
file = "${mysecrets}/smb-credentials.age";
owner = username;
};
age.secrets = {
"wg-business.conf" = {
file = "${mysecrets}/wg-business.conf.age";
owner = username;
};
"ssh-key-romantic" = {
file = "${mysecrets}/ssh-key-romantic.age";
mode = "0600";
owner = username;
};
"ryan4yin-gpg-subkeys.priv" = {
file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
# owner = root
age.secrets = let
noaccess = {
mode = "0000";
owner = "root";
};
high_security = {
mode = "0500";
owner = "root";
};
user_readable = {
mode = "0500";
owner = username;
};
in {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
"ryan4yin-gpg-subkeys.priv" =
{
file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
}
// noaccess;
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
"smb-credentials" =
{
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
// high_security;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# alias-for-work
"alias-for-work.nushell" = {
file = "${mysecrets}/alias-for-work.nushell.age";
mode = "0600";
owner = username;
};
"alias-for-work.bash" = {
file = "${mysecrets}/alias-for-work.bash.age";
mode = "0600";
owner = username;
};
"alias-for-work.nushell" =
{
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
"nix-access-tokens" = {
file = "${mysecrets}/nix-access-tokens.age";
mode = "0600";
owner = username;
};
"alias-for-work.bash" =
{
file = "${mysecrets}/alias-for-work.bash.age";
}
// user_readable;
};
# place secrets in /etc/
@@ -72,6 +107,10 @@
source = config.age.secrets."wg-business.conf".path;
};
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
"agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path;
mode = "0600";