feat: add agenix for secrets management

.gitignore

@@ -1,3 +0,0 @@
-
-
-.smb_credentials

Makefile

@@ -1,6 +1,9 @@
 deploy: 
 	sudo nixos-rebuild switch --flake .
 
+debug:
+	sudo nixos-rebuild switch --flake . --show-trace --verbose
+
 update:
 	nix flake update
 

README.md

@@ -9,7 +9,6 @@ This repository is home to the nix code that builds my systems.
 
 ## TODO
 
-- [sops-nix](https://github.com/Mic92/sops-nix): secret management
 - make fcitx5-rime work in vscode/chrome on wayland
 - adjust the structure of this repo, make it more flexible, and can easily switch between i3, sway and hyprland.
 - migrate my private tools & wireguard configurations into nixos, make it a private flake(private github repo), and used it as flake inputs in this repo.
@@ -33,8 +32,13 @@ sudo nixos-rebuild switch --flake .#nixos-test
 
 # deploy my PC's configuration
 sudo nixos-rebuild switch --flake .#msi-rtx4090
-```
 
+# or just deploy with hostname
+sudo nixos-rebuild switch
+
+# we can also deploy using make, which is defined in Makefile
+make deploy
+```
 
 ## Install Apps from Flatpak
 

flake.lock

@@ -1,10 +1,53 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1684153753,
+        "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1684343812,
+        "narHash": "sha256-ZTEjiC8PDKeP8JRchuwcFXUNlMcyQ4U+DpyVZ3pB6Q4=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "dfbdabbb3e797334172094d4f6c0ffca8c791281",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "devenv": {
       "inputs": {
         "flake-compat": "flake-compat",
         "nix": "nix",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
@@ -131,6 +174,27 @@
       }
     },
     "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1684596126,
+        "narHash": "sha256-4RZZmygeEXpuBqEXGs38ZAcWjWKGwu13Iqbxub6wuJk=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "27ef11f0218d9018ebb2948d40133df2b1de622d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
@@ -153,7 +217,7 @@
     "hyprland": {
       "inputs": {
         "hyprland-protocols": "hyprland-protocols",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
         "wlroots": "wlroots",
         "xdph": "xdph"
       },
@@ -255,7 +319,7 @@
     "nix-eval-jobs": {
       "inputs": {
         "flake-parts": "flake-parts",
-        "nixpkgs": "nixpkgs_4"
+        "nixpkgs": "nixpkgs_5"
       },
       "locked": {
         "lastModified": 1682480188,
@@ -273,16 +337,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1677534593,
+        "lastModified": 1684570954,
-        "narHash": "sha256-PuZSAHeq4/9pP/uYH1FcagQ3nLm/DrDrvKi/xC9glvw=",
+        "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3ad64d9e2d5bf80c877286102355b1625891ae9a",
+        "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -355,14 +419,14 @@
         "flake-compat": "flake-compat_2",
         "lib-aggregate": "lib-aggregate",
         "nix-eval-jobs": "nix-eval-jobs",
-        "nixpkgs": "nixpkgs_5"
+        "nixpkgs": "nixpkgs_6"
       },
       "locked": {
-        "lastModified": 1684578926,
+        "lastModified": 1684592015,
-        "narHash": "sha256-gOC+D019uldIP0hdhr2uHn6scZJFWioETOvZy8mkX3Q=",
+        "narHash": "sha256-6gFt1LE/stVQFeGI263pU6O5EAeY1TPTGee1vvbkwZo=",
         "owner": "nix-community",
         "repo": "nixpkgs-wayland",
-        "rev": "17eb467ccf21704e9d079eafc0083597e84020e5",
+        "rev": "aeb1b88206756e867e398d18e2856b60fc803e12",
         "type": "github"
       },
       "original": {
@@ -372,6 +436,22 @@
       }
     },
     "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1677534593,
+        "narHash": "sha256-PuZSAHeq4/9pP/uYH1FcagQ3nLm/DrDrvKi/xC9glvw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "3ad64d9e2d5bf80c877286102355b1625891ae9a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
       "locked": {
         "lastModified": 1683014792,
         "narHash": "sha256-6Va9iVtmmsw4raBc3QKvQT2KT/NGRWlvUlJj46zN8B8=",
@@ -387,7 +467,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_3": {
+    "nixpkgs_4": {
       "locked": {
         "lastModified": 1684570954,
         "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
@@ -403,7 +483,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_4": {
+    "nixpkgs_5": {
       "locked": {
         "lastModified": 1681347147,
         "narHash": "sha256-B+hTioRc3Jdf4SJyeCiO0fW5ShIznJk2OTiW2vOV+mc=",
@@ -419,13 +499,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_5": {
+    "nixpkgs_6": {
       "locked": {
-        "lastModified": 1684528365,
+        "lastModified": 1684570954,
-        "narHash": "sha256-2b5IfkV6WPZ3S9SgIajbftinfGlBnwUwOcmLiyCck+w=",
+        "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5ae23a806c7cb16e2ade63400d0c6e5aa8e54797",
+        "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3",
         "type": "github"
       },
       "original": {
@@ -480,10 +560,11 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "devenv": "devenv",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
         "hyprland": "hyprland",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_4",
         "nixpkgs-stable": "nixpkgs-stable_2",
         "nixpkgs-wayland": "nixpkgs-wayland",
         "nur": "nur"

flake.nix

@@ -54,6 +54,9 @@
 
     # use devenv to manage my development environment
     devenv.url = "github:cachix/devenv/v0.6.2";
+    
+    # secrets management, lock with git commit at 2023/5/15
+    agenix.url = "github:ryantm/agenix/db5637d10f797bb251b94ef9040b237f4702cde3";
   };
 
   # outputs 的参数都是 inputs 中定义的依赖项，可以通过它们的名称来引用。

hosts/msi-rtx4090/cifs-mount.nix

@@ -5,7 +5,9 @@
   fileSystems."/home/ryan/SMB-Downloads" = {
       device = "//192.168.5.194/Downloads";
       fsType = "cifs";
-      options = ["vers=3.0,uid=1000,gid=100,dir_mode=0755,file_mode=0755,mfsymlinks,credentials=/etc/nixos/.smb_credentials,nofail"];
+      options = [
+        "vers=3.0,uid=1000,gid=100,dir_mode=0755,file_mode=0755,mfsymlinks,credentials=${config.age.secrets.smb-credentials.path},nofail"
+      ];
   };
 }
 

hosts/msi-rtx4090/default.nix

@@ -21,17 +21,19 @@
       # Use `config.nur.repos.<user>.<package-name>` in NixOS Module for packages from the NUR.
       nur.nixosModules.nur
 
-
       ./cifs-mount.nix
-      ../../modules/system.nix
-      ../../modules/hyprland.nix
-      #../../modules/i3.nix
-      ../../modules/fcitx5
-      ../../modules/nur-packages.nix
-      ../../modules/fhs-fonts.nix
-
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
+
+      ../../modules/fcitx5
+      ../../modules/fhs-fonts.nix
+      ../../modules/hyprland.nix
+      #../../modules/i3.nix
+      ../../modules/nur-packages.nix
+      ../../modules/system.nix
+      ../../modules/user_group.nix
+
+      ../../secrets
     ];
 
   # Bootloader.

hosts/nixos-test/default.nix

@@ -20,16 +20,18 @@
       # Use `config.nur.repos.<user>.<package-name>` in NixOS Module for packages from the NUR.
       nur.nixosModules.nur
 
-
-      ../../modules/system.nix
-      ../../modules/hyprland.nix
-      #../../modules/i3.nix
-      ../../modules/fcitx5
-      ../../modules/nur-packages.nix
-      ../../modules/fhs-fonts.nix
-
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
+
+      ../../modules/fcitx5
+      ../../modules/fhs-fonts.nix
+      ../../modules/hyprland.nix
+      #../../modules/i3.nix
+      ../../modules/nur-packages.nix
+      ../../modules/system.nix
+      ../../modules/user_group.nix
+
+      ../../secrets
     ];
 
   # Bootloader.

modules/system.nix

@@ -214,19 +214,4 @@
   # android development tools, this will install adb/fastboot and other android tools and udev rules
   # see https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/programs/adb.nix
   programs.adb.enable = true;
-
-
-  # users.groups = {
-  #   docker = {};
-  #   wireshark = {};
-  # };
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.ryan = {
-    isNormalUser = true;
-    description = "ryan";
-    extraGroups = [ "users" "networkmanager" "wheel" "docker" "wireshark" "adbusers" ];
-    openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj admin@ryan-MBP"
-    ];
-  };
 }

modules/user_group.nix

@@ -0,0 +1,18 @@
+{config, pkgs, ...}:
+
+{
+  users.groups = {
+    ryan = {};
+    docker = {};
+    wireshark = {};
+  };
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.ryan = {
+    isNormalUser = true;
+    description = "ryan";
+    extraGroups = [ "ryan" "users" "networkmanager" "wheel" "docker" "wireshark" "adbusers" ];
+    openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj"
+    ];
+  };
+}

secrets/REAME.md

@@ -0,0 +1,87 @@
+# secrets management
+
+This directory contains my secret files, encrypt by agenix:
+
+- my wireguard configuration files, which is used by `wg-quick`
+- github token, used by nix flakes to query and downloads flakes from github
+  - without this, you may reach out github api rate limit.
+- ssh key pairs for my homelab and other servers
+- ...
+
+## Add or Update Secrets
+
+This job is done by `agenix` CLI tool with the `./secrets.nix` file.
+
+Pretend you want to add a new secret file `xxx.age`, then:
+
+1. `cd` to this directory
+1. edit `secrets.nix`, add a new entry for `xxx.age`, which defines the
+   encryption keys and the secret file path, e.g.
+  ```nix
+  # This file is not imported into your NixOS configuration. It is only used for the agenix CLI.
+  # agenix use the public keys defined in this file to encrypt the secrets.
+  # and users can decrypt the secrets by any of the corresponding private keys.
+
+  let
+    # get user's ssh public key by command:
+    #     cat ~/.ssh/id_ed25519.pub
+    # if you do not have one, you can generate it by command:
+    #     ssh-keygen -t ed25519
+    ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj";
+    users = [ ryan ];
+
+    # get system's ssh public key by command:
+    #    cat /etc/ssh/ssh_host_ed25519_key.pub
+    msi-rtx4090 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@msi-rtx4090";
+    systems = [ msi-rtx4090 ];
+  in
+  {
+    "./encrypt/xxx.age".publicKeys = users ++ systems;
+  }
+  ```
+2. create and edit the secret file `xxx.age` interactively by command:
+  ```shell
+  agenix -e ./encrypt/xxx.age
+  ```
+3. or you can also encrypt an existing file to `xxx.age` by command:
+  ```shell
+  agenix -e ./encrypt/xxx.age < /path/to/xxx
+  ```
+
+
+## Deploy Secrets
+
+This job is done by `nixos-rebuild` with the `./default.nix` file.
+
+An nixos module exmaple(need to set agenix as flake inputs first...):
+
+```nix
+{ config, pkgs, agenix, ... }:
+
+{
+  imports = [
+     agenix.nixosModules.default
+  ];
+
+  environment.systemPackages = [
+    agenix.packages."${pkgs.system}".default 
+  ];
+
+  age.secrets."xxx" = {
+    # wether secrets are symlinked to age.secrets.<name>.path
+    symlink = true;
+    # target path for decrypted file
+    path = "/etc/xxx/";
+    # encrypted file path
+    file = ./encrypt/xxx.age;
+    mode = "0400";
+    owner = "root";
+    group = "root";
+  };
+}
+```
+
+`nixos-rebuild` will decrypt the secrets using the private keys defined by argument `age.identityPaths`,
+And then symlink the secrets to the path defined by argument `age.secrets.<name>.path`, it defaults to `/etc/secrets`.
+
+NOTE: `age.identityPaths` it defaults to `~/.ssh/id_ed25519` and `~/.ssh/id_rsa`, so you should put your decrypt keys there. if you're deploying to the same machine as you're encrypting from, it should work out of the box.

secrets/default.nix

@@ -0,0 +1,32 @@
+{ config, pkgs, agenix, ... }:
+
+{
+  imports = [
+     agenix.nixosModules.default
+  ];
+
+  environment.systemPackages = [
+    agenix.packages."${pkgs.system}".default 
+  ];
+
+  # # wireguard config used with `wg-quick up wg-business`  
+  age.secrets."wg-business.conf" = {
+    # wether secrets are symlinked to age.secrets.<name>.path
+    symlink = true;
+    # target path for decrypted file
+    path = "/etc/wireguard/";
+    # encrypted file path
+    file = ./encrypt/wg-business.conf.age;
+    mode = "0400";
+    owner = "root";
+    group = "root";
+  };
+
+  # smb-credentials is referenced in /etc/fstab, by ../hosts/msi-rtx4090/cifs-mount.nix
+  age.secrets."smb-credentials" = {
+    # wether secrets are symlinked to age.secrets.<name>.path
+    symlink = true;
+    # encrypted file path
+    file = ./encrypt/smb-credentials.age;
+  };
+}

secrets/encrypt/smb-credentials.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 YVM6Sg vO0DYm8iol7IBG6rscZq/LQpRHh54+DdOFUR01b6yR0
+gqEePw0Fvo2uDAcwEObd7PLjA2vU6e6JhGGVoGULazA
+-> ssh-ed25519 Q4ARMQ fyGN9P+rvYJ8Qk5Iiyjn++Ml/XiVMvk62EshD9JOvDA
+ikPmvDRZwhkHAZ2U8R10QgpJlTTynHI5Vm50xxQiKT8
+-> b[1(F-grease 23C oS"65TE ~50zBiB
+eMwvm36CT7qLNS6gXVezB3m8pCKyTbKfuCq3vgi/D4DQXfDq4IdAANp0o6DKuaTX
+gQOZK5zIELG4bHS9SQRW4H7eAjJBUgA
+--- 1p8fRawaLk8WpQHYAE7sD016F6bo4agn2UxDuUtZzmI
+g·ógs=k+nN½"±äóoá/=^÷Z§Ÿ<~ÑÓŽ
k˜i Gw3ó<33>Ñ”=(Aˆm	
+úß¼¶<C2BC>êU#’à

secrets/secrets.nix

@@ -0,0 +1,20 @@
+# This file is not imported into your NixOS configuration. It is only used for the agenix CLI.
+
+let
+  # get user's ssh public key by command:
+  #     cat ~/.ssh/id_ed25519.pub
+  # if you do not have one, you can generate it by command:
+  #     ssh-keygen -t ed25519
+  ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj";
+  users = [ ryan ];
+
+  # get system's ssh public key by command:
+  #    cat /etc/ssh/ssh_host_ed25519_key.pub
+  msi-rtx4090 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@msi-rtx4090";
+  systems = [ msi-rtx4090 ];
+in
+{
+  "./encrypt/wg-business.conf.age".publicKeys = users ++ systems;
+  "./encrypt/smb-credentials.age".publicKeys = users ++ systems;
+  # "./encrypt/secret123.age".publicKeys = [ user1 system1 ];
+}