diff --git a/flake.lock b/flake.lock index a34bfef2..774c5035 100644 --- a/flake.lock +++ b/flake.lock @@ -515,10 +515,10 @@ "mysecrets": { "flake": false, "locked": { - "lastModified": 1706264692, - "narHash": "sha256-xgYP84Knm2JmEYttJ1N3DfJBTNNJ82klRmBtzlZLuog=", + "lastModified": 1706277557, + "narHash": "sha256-eDVEacTs1ifdTR6DZGDb9RoRR0V4dAZCK7SBWtLB+Zw=", "ref": "refs/heads/main", - "rev": "17fdfb68739c474d0cb25906c77b33553b033a6a", + "rev": "75d7db5fca64885cac9dc58ba5fb1c3498ecb96e", "shallow": true, "type": "git", "url": "ssh://git@github.com/ryan4yin/nix-secrets.git" diff --git a/hosts/idols_ai/home.nix b/hosts/idols_ai/home.nix index 4865f904..35441641 100644 --- a/hosts/idols_ai/home.nix +++ b/hosts/idols_ai/home.nix @@ -21,8 +21,7 @@ enable = true; extraConfig = '' Host github.com - # github is controlled by gluttony~ - IdentityFile ~/.ssh/gluttony + IdentityFile ~/.ssh/idols-ai # Specifies that ssh should only use the identity file explicitly configured above # required to prevent sending default identity files first. IdentitiesOnly yes diff --git a/modules/base.nix b/modules/base.nix index fc466149..8fd6b068 100644 --- a/modules/base.nix +++ b/modules/base.nix @@ -13,7 +13,7 @@ users.users.${username} = { description = userfullname; # Public Keys that can be used to login to all my PCs, Macbooks, and servers. - # + # # Since its authority is so large, we must strengthen its security: # 1. The corresponding private key must be: # 1. Generated locally on every trusted client via: @@ -26,6 +26,8 @@ # 2. Or just use hardware security keys like Yubikey/CanoKey. openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoa9uEI/gR5+klqTQwvCgD6CD5vT5iD9YCNx2xNrH3B ryan@fern" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwZ9MdotnyhxIJrI4gmVshExHiZOx+FGFhcW7BaYkfR ryan@harmonica" + "" ]; }; diff --git a/secrets/darwin.nix b/secrets/darwin.nix index 43922c19..8ae17ed2 100644 --- a/secrets/darwin.nix +++ b/secrets/darwin.nix @@ -16,44 +16,79 @@ # if you changed this key, you need to regenerate all encrypt files from the decrypt contents! age.identityPaths = [ - "/Users/${username}/.ssh/juliet-age" # macOS + # Generate manually via `sudo ssh-keygen -A` + "/etc/ssh/ssh_host_ed25519_key" # macOS, using the host key for decryption ]; - age.secrets = { - "wg-business.conf" = { - file = "${mysecrets}/wg-business.conf.age"; - owner = username; - }; - - "ssh-key-romantic" = { - file = "${mysecrets}/ssh-key-romantic.age"; - mode = "0600"; - owner = username; - }; - - "ryan4yin-gpg-subkeys.priv" = { - file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age"; + # owner = root + age.secrets = let + noaccess = { mode = "0000"; owner = "root"; }; + high_security = { + mode = "0500"; + owner = "root"; + }; + user_readable = { + mode = "0500"; + owner = username; + }; + in { + # --------------------------------------------- + # no one can read/write this file, even root. + # --------------------------------------------- + + "ryan4yin-gpg-subkeys.priv" = + { + file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age"; + } + // noaccess; + + # --------------------------------------------- + # only root can read this file. + # --------------------------------------------- + + "wg-business.conf" = + { + file = "${mysecrets}/wg-business.conf.age"; + } + // high_security; + + "rclone.conf" = + { + file = "${mysecrets}/rclone.conf.age"; + } + // high_security; + + "nix-access-tokens" = + { + file = "${mysecrets}/nix-access-tokens.age"; + } + // high_security; + + # --------------------------------------------- + # user can read this file. + # --------------------------------------------- + + "ssh-key-romantic" = + { + file = "${mysecrets}/ssh-key-romantic.age"; + } + // user_readable; # alias-for-work - "alias-for-work.nushell" = { - file = "${mysecrets}/alias-for-work.nushell.age"; - mode = "0600"; - owner = username; - }; - "alias-for-work.bash" = { - file = "${mysecrets}/alias-for-work.bash.age"; - mode = "0600"; - owner = username; - }; + "alias-for-work.nushell" = + { + file = "${mysecrets}/alias-for-work.nushell.age"; + } + // user_readable; - "nix-access-tokens" = { - file = "${mysecrets}/nix-access-tokens.age"; - mode = "0600"; - owner = username; - }; + "alias-for-work.bash" = + { + file = "${mysecrets}/alias-for-work.bash.age"; + } + // user_readable; }; # place secrets in /etc/ @@ -64,6 +99,10 @@ source = config.age.secrets."wg-business.conf".path; }; + "agenix/rclone.conf" = { + source = config.age.secrets."rclone.conf".path; + }; + "agenix/ssh-key-romantic" = { source = config.age.secrets."ssh-key-romantic".path; }; diff --git a/secrets/nixos.nix b/secrets/nixos.nix index b225bfe0..4a61c21a 100644 --- a/secrets/nixos.nix +++ b/secrets/nixos.nix @@ -18,51 +18,86 @@ age.identityPaths = [ # To decrypt secrets on boot, this key should exists when the system is booting, # so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence. - "/persistent/home/${username}/.ssh/juliet-age" # Linux + "/persistent/etc/ssh/ssh_host_ed25519_key" # Linux ]; - # Used only by NixOS Modules - # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix - age.secrets."smb-credentials" = { - file = "${mysecrets}/smb-credentials.age"; - owner = username; - }; - - age.secrets = { - "wg-business.conf" = { - file = "${mysecrets}/wg-business.conf.age"; - owner = username; - }; - - "ssh-key-romantic" = { - file = "${mysecrets}/ssh-key-romantic.age"; - mode = "0600"; - owner = username; - }; - - "ryan4yin-gpg-subkeys.priv" = { - file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age"; + # owner = root + age.secrets = let + noaccess = { mode = "0000"; owner = "root"; }; + high_security = { + mode = "0500"; + owner = "root"; + }; + user_readable = { + mode = "0500"; + owner = username; + }; + in { + # --------------------------------------------- + # no one can read/write this file, even root. + # --------------------------------------------- + + "ryan4yin-gpg-subkeys.priv" = + { + file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age"; + } + // noaccess; + + # --------------------------------------------- + # only root can read this file. + # --------------------------------------------- + + "wg-business.conf" = + { + file = "${mysecrets}/wg-business.conf.age"; + } + // high_security; + + # Used only by NixOS Modules + # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix + "smb-credentials" = + { + file = "${mysecrets}/smb-credentials.age"; + } + // high_security; + + "rclone.conf" = + { + file = "${mysecrets}/rclone.conf.age"; + } + // high_security; + + "nix-access-tokens" = + { + file = "${mysecrets}/nix-access-tokens.age"; + } + // high_security; + + # --------------------------------------------- + # user can read this file. + # --------------------------------------------- + + "ssh-key-romantic" = + { + file = "${mysecrets}/ssh-key-romantic.age"; + } + // user_readable; # alias-for-work - "alias-for-work.nushell" = { - file = "${mysecrets}/alias-for-work.nushell.age"; - mode = "0600"; - owner = username; - }; - "alias-for-work.bash" = { - file = "${mysecrets}/alias-for-work.bash.age"; - mode = "0600"; - owner = username; - }; + "alias-for-work.nushell" = + { + file = "${mysecrets}/alias-for-work.nushell.age"; + } + // user_readable; - "nix-access-tokens" = { - file = "${mysecrets}/nix-access-tokens.age"; - mode = "0600"; - owner = username; - }; + "alias-for-work.bash" = + { + file = "${mysecrets}/alias-for-work.bash.age"; + } + // user_readable; }; # place secrets in /etc/ @@ -72,6 +107,10 @@ source = config.age.secrets."wg-business.conf".path; }; + "agenix/rclone.conf" = { + source = config.age.secrets."rclone.conf".path; + }; + "agenix/ssh-key-romantic" = { source = config.age.secrets."ssh-key-romantic".path; mode = "0600";