starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-01-11 20:40:24 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity

feat: add agenix for secrets management

Browse Source
This commit is contained in:
ryan4yin
2023-05-21 00:56:37 +08:00
parent 32d6353cdc
commit 6710f34e50
15 changed files with 303 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -1,3 +0,0 @@
.smb_credentials

3
Makefile
View File

@@ -1,6 +1,9 @@
deploy:
sudo nixos-rebuild switch --flake .
debug:
sudo nixos-rebuild switch --flake . --show-trace --verbose
update:
nix flake update

8
README.md
View File

@@ -9,7 +9,6 @@ This repository is home to the nix code that builds my systems.
## TODO
- [sops-nix](https://github.com/Mic92/sops-nix): secret management
- make fcitx5-rime work in vscode/chrome on wayland
- adjust the structure of this repo, make it more flexible, and can easily switch between i3, sway and hyprland.
- migrate my private tools & wireguard configurations into nixos, make it a private flake(private github repo), and used it as flake inputs in this repo.
@@ -33,8 +32,13 @@ sudo nixos-rebuild switch --flake .#nixos-test
# deploy my PC's configuration
sudo nixos-rebuild switch --flake .#msi-rtx4090
```
# or just deploy with hostname
sudo nixos-rebuild switch
# we can also deploy using make, which is defined in Makefile
make deploy
```
## Install Apps from Flatpak

119
flake.lock generated
View File

@@ -1,10 +1,53 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1684153753,
"narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=",
"owner": "ryantm",
"repo": "agenix",
"rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1684343812,
"narHash": "sha256-ZTEjiC8PDKeP8JRchuwcFXUNlMcyQ4U+DpyVZ3pB6Q4=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "dfbdabbb3e797334172094d4f6c0ffca8c791281",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"devenv": {
"inputs": {
"flake-compat": "flake-compat",
"nix": "nix",
"nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_2",
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
@@ -131,6 +174,27 @@
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1684596126,
"narHash": "sha256-4RZZmygeEXpuBqEXGs38ZAcWjWKGwu13Iqbxub6wuJk=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "27ef11f0218d9018ebb2948d40133df2b1de622d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
@@ -153,7 +217,7 @@
"hyprland": {
"inputs": {
"hyprland-protocols": "hyprland-protocols",
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs_3",
"wlroots": "wlroots",
"xdph": "xdph"
},
@@ -255,7 +319,7 @@
"nix-eval-jobs": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs_4"
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1682480188,
@@ -273,16 +337,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1677534593,
"narHash": "sha256-PuZSAHeq4/9pP/uYH1FcagQ3nLm/DrDrvKi/xC9glvw=",
"lastModified": 1684570954,
"narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3ad64d9e2d5bf80c877286102355b1625891ae9a",
"rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
@@ -355,14 +419,14 @@
"flake-compat": "flake-compat_2",
"lib-aggregate": "lib-aggregate",
"nix-eval-jobs": "nix-eval-jobs",
"nixpkgs": "nixpkgs_5"
"nixpkgs": "nixpkgs_6"
},
"locked": {
"lastModified": 1684578926,
"narHash": "sha256-gOC+D019uldIP0hdhr2uHn6scZJFWioETOvZy8mkX3Q=",
"lastModified": 1684592015,
"narHash": "sha256-6gFt1LE/stVQFeGI263pU6O5EAeY1TPTGee1vvbkwZo=",
"owner": "nix-community",
"repo": "nixpkgs-wayland",
"rev": "17eb467ccf21704e9d079eafc0083597e84020e5",
"rev": "aeb1b88206756e867e398d18e2856b60fc803e12",
"type": "github"
},
"original": {
@@ -372,6 +436,22 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1677534593,
"narHash": "sha256-PuZSAHeq4/9pP/uYH1FcagQ3nLm/DrDrvKi/xC9glvw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3ad64d9e2d5bf80c877286102355b1625891ae9a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1683014792,
"narHash": "sha256-6Va9iVtmmsw4raBc3QKvQT2KT/NGRWlvUlJj46zN8B8=",
@@ -387,7 +467,7 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1684570954,
"narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
@@ -403,7 +483,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1681347147,
"narHash": "sha256-B+hTioRc3Jdf4SJyeCiO0fW5ShIznJk2OTiW2vOV+mc=",
@@ -419,13 +499,13 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_6": {
"locked": {
"lastModified": 1684528365,
"narHash": "sha256-2b5IfkV6WPZ3S9SgIajbftinfGlBnwUwOcmLiyCck+w=",
"lastModified": 1684570954,
"narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5ae23a806c7cb16e2ade63400d0c6e5aa8e54797",
"rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3",
"type": "github"
},
"original": {
@@ -480,10 +560,11 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"devenv": "devenv",
"home-manager": "home-manager",
"home-manager": "home-manager_2",
"hyprland": "hyprland",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_4",
"nixpkgs-stable": "nixpkgs-stable_2",
"nixpkgs-wayland": "nixpkgs-wayland",
"nur": "nur"

3
flake.nix
View File

@@ -54,6 +54,9 @@
# use devenv to manage my development environment
devenv.url = "github:cachix/devenv/v0.6.2";
# secrets management, lock with git commit at 2023/5/15
agenix.url = "github:ryantm/agenix/db5637d10f797bb251b94ef9040b237f4702cde3";
};
# outputs 的参数都是 inputs 中定义的依赖项,可以通过它们的名称来引用。

4
hosts/msi-rtx4090/cifs-mount.nix
View File

@@ -5,7 +5,9 @@
fileSystems."/home/ryan/SMB-Downloads" = {
device = "//192.168.5.194/Downloads";
fsType = "cifs";
options = ["vers=3.0,uid=1000,gid=100,dir_mode=0755,file_mode=0755,mfsymlinks,credentials=/etc/nixos/.smb_credentials,nofail"];
options = [
"vers=3.0,uid=1000,gid=100,dir_mode=0755,file_mode=0755,mfsymlinks,credentials=${config.age.secrets.smb-credentials.path},nofail"
];
};
}

18
hosts/msi-rtx4090/default.nix
View File

@@ -21,17 +21,19 @@
# Use `config.nur.repos.<user>.<package-name>` in NixOS Module for packages from the NUR.
nur.nixosModules.nur
./cifs-mount.nix
../../modules/system.nix
../../modules/hyprland.nix
#../../modules/i3.nix
../../modules/fcitx5
../../modules/nur-packages.nix
../../modules/fhs-fonts.nix
# Include the results of the hardware scan.
./hardware-configuration.nix
../../modules/fcitx5
../../modules/fhs-fonts.nix
../../modules/hyprland.nix
#../../modules/i3.nix
../../modules/nur-packages.nix
../../modules/system.nix
../../modules/user_group.nix
../../secrets
];
# Bootloader.

18
hosts/nixos-test/default.nix
View File

@@ -20,16 +20,18 @@
# Use `config.nur.repos.<user>.<package-name>` in NixOS Module for packages from the NUR.
nur.nixosModules.nur
../../modules/system.nix
../../modules/hyprland.nix
#../../modules/i3.nix
../../modules/fcitx5
../../modules/nur-packages.nix
../../modules/fhs-fonts.nix
# Include the results of the hardware scan.
./hardware-configuration.nix
../../modules/fcitx5
../../modules/fhs-fonts.nix
../../modules/hyprland.nix
#../../modules/i3.nix
../../modules/nur-packages.nix
../../modules/system.nix
../../modules/user_group.nix
../../secrets
];
# Bootloader.

15
modules/system.nix
View File

@@ -214,19 +214,4 @@
# android development tools, this will install adb/fastboot and other android tools and udev rules
# see https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/programs/adb.nix
programs.adb.enable = true;
# users.groups = {
# docker = {};
# wireshark = {};
# };
# Define a user account. Don't forget to set a password with passwd.
users.users.ryan = {
isNormalUser = true;
description = "ryan";
extraGroups = [ "users" "networkmanager" "wheel" "docker" "wireshark" "adbusers" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj admin@ryan-MBP"
];
};
}

18
modules/user_group.nix Normal file
View File

@@ -0,0 +1,18 @@
{config, pkgs, ...}:
{
users.groups = {
ryan = {};
docker = {};
wireshark = {};
};
# Define a user account. Don't forget to set a password with passwd.
users.users.ryan = {
isNormalUser = true;
description = "ryan";
extraGroups = [ "ryan" "users" "networkmanager" "wheel" "docker" "wireshark" "adbusers" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj"
];
};
}

87
secrets/REAME.md Normal file
View File

@@ -0,0 +1,87 @@
# secrets management
This directory contains my secret files, encrypt by agenix:
- my wireguard configuration files, which is used by `wg-quick`
- github token, used by nix flakes to query and downloads flakes from github
- without this, you may reach out github api rate limit.
- ssh key pairs for my homelab and other servers
- ...
## Add or Update Secrets
This job is done by `agenix` CLI tool with the `./secrets.nix` file.
Pretend you want to add a new secret file `xxx.age`, then:
1. `cd` to this directory
1. edit `secrets.nix`, add a new entry for `xxx.age`, which defines the
encryption keys and the secret file path, e.g.
```nix
# This file is not imported into your NixOS configuration. It is only used for the agenix CLI.
# agenix use the public keys defined in this file to encrypt the secrets.
# and users can decrypt the secrets by any of the corresponding private keys.
let
# get user's ssh public key by command:
# cat ~/.ssh/id_ed25519.pub
# if you do not have one, you can generate it by command:
# ssh-keygen -t ed25519
ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj";
users = [ ryan ];
# get system's ssh public key by command:
# cat /etc/ssh/ssh_host_ed25519_key.pub
msi-rtx4090 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@msi-rtx4090";
systems = [ msi-rtx4090 ];
in
{
"./encrypt/xxx.age".publicKeys = users ++ systems;
}
```
2. create and edit the secret file `xxx.age` interactively by command:
```shell
agenix -e ./encrypt/xxx.age
```
3. or you can also encrypt an existing file to `xxx.age` by command:
```shell
agenix -e ./encrypt/xxx.age < /path/to/xxx
```
## Deploy Secrets
This job is done by `nixos-rebuild` with the `./default.nix` file.
An nixos module exmaple(need to set agenix as flake inputs first...):
```nix
{ config, pkgs, agenix, ... }:
{
imports = [
agenix.nixosModules.default
];
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
];
age.secrets."xxx" = {
# wether secrets are symlinked to age.secrets.<name>.path
symlink = true;
# target path for decrypted file
path = "/etc/xxx/";
# encrypted file path
file = ./encrypt/xxx.age;
mode = "0400";
owner = "root";
group = "root";
};
}
```
`nixos-rebuild` will decrypt the secrets using the private keys defined by argument `age.identityPaths`,
And then symlink the secrets to the path defined by argument `age.secrets.<name>.path`, it defaults to `/etc/secrets`.
NOTE: `age.identityPaths` it defaults to `~/.ssh/id_ed25519` and `~/.ssh/id_rsa`, so you should put your decrypt keys there. if you're deploying to the same machine as you're encrypting from, it should work out of the box.

32
secrets/default.nix Normal file
View File

@@ -0,0 +1,32 @@
{ config, pkgs, agenix, ... }:
{
imports = [
agenix.nixosModules.default
];
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
];
# # wireguard config used with `wg-quick up wg-business`
age.secrets."wg-business.conf" = {
# wether secrets are symlinked to age.secrets.<name>.path
symlink = true;
# target path for decrypted file
path = "/etc/wireguard/";
# encrypted file path
file = ./encrypt/wg-business.conf.age;
mode = "0400";
owner = "root";
group = "root";
};
# smb-credentials is referenced in /etc/fstab, by ../hosts/msi-rtx4090/cifs-mount.nix
age.secrets."smb-credentials" = {
# wether secrets are symlinked to age.secrets.<name>.path
symlink = true;
# encrypted file path
file = ./encrypt/smb-credentials.age;
};
}

11
secrets/encrypt/smb-credentials.age Normal file
View File

@@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 YVM6Sg vO0DYm8iol7IBG6rscZq/LQpRHh54+DdOFUR01b6yR0
gqEePw0Fvo2uDAcwEObd7PLjA2vU6e6JhGGVoGULazA
-> ssh-ed25519 Q4ARMQ fyGN9P+rvYJ8Qk5Iiyjn++Ml/XiVMvk62EshD9JOvDA
ikPmvDRZwhkHAZ2U8R10QgpJlTTynHI5Vm50xxQiKT8
-> b[1(F-grease 23C oS"65TE ~50zBiB
eMwvm36CT7qLNS6gXVezB3m8pCKyTbKfuCq3vgi/D4DQXfDq4IdAANp0o6DKuaTX
gQOZK5zIELG4bHS9SQRW4H7eAjJBUgA
--- 1p8fRawaLk8WpQHYAE7sD016F6bo4agn2UxDuUtZzmI
g·ógs=kî½+nN½"±äóoá/=^÷Z§Ÿ<~ÑÓŽk˜i Gw3ó<33>Ñ”=( Aˆm 
úß¼¶<C2BC>êU#’à

BIN
secrets/encrypt/wg-business.conf.age Normal file
View File

Binary file not shown.

20
secrets/secrets.nix Normal file
View File

@@ -0,0 +1,20 @@
# This file is not imported into your NixOS configuration. It is only used for the agenix CLI.
let
# get user's ssh public key by command:
# cat ~/.ssh/id_ed25519.pub
# if you do not have one, you can generate it by command:
# ssh-keygen -t ed25519
ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj";
users = [ ryan ];
# get system's ssh public key by command:
# cat /etc/ssh/ssh_host_ed25519_key.pub
msi-rtx4090 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@msi-rtx4090";
systems = [ msi-rtx4090 ];
in
{
"./encrypt/wg-business.conf.age".publicKeys = users ++ systems;
"./encrypt/smb-credentials.age".publicKeys = users ++ systems;
# "./encrypt/secret123.age".publicKeys = [ user1 system1 ];
}