feat: agenix - use the system's host ssh key for cryption

2026-01-11 20:40:24 +01:00 · 2024-01-26 20:52:16 +08:00
parent d1cdddc9ca
commit 7f72a0612b
5 changed files with 152 additions and 73 deletions
--- a/secrets/darwin.nix
+++ b/secrets/darwin.nix
@@ -16,44 +16,79 @@

  # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
  age.identityPaths = [
-    "/Users/${username}/.ssh/juliet-age" # macOS
+    # Generate manually via `sudo ssh-keygen -A`
+    "/etc/ssh/ssh_host_ed25519_key" # macOS, using the host key for decryption
  ];

-  age.secrets = {
-    "wg-business.conf" = {
-      file = "${mysecrets}/wg-business.conf.age";
-      owner = username;
-    };
-
-    "ssh-key-romantic" = {
-      file = "${mysecrets}/ssh-key-romantic.age";
-      mode = "0600";
-      owner = username;
-    };
-
-    "ryan4yin-gpg-subkeys.priv" = {
-      file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
+  # owner = root
+  age.secrets = let
+    noaccess = {
      mode = "0000";
      owner = "root";
    };
+    high_security = {
+      mode = "0500";
+      owner = "root";
+    };
+    user_readable = {
+      mode = "0500";
+      owner = username;
+    };
+  in {
+    # ---------------------------------------------
+    # no one can read/write this file, even root.
+    # ---------------------------------------------
+
+    "ryan4yin-gpg-subkeys.priv" =
+      {
+        file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
+      }
+      // noaccess;
+
+    # ---------------------------------------------
+    # only root can read this file.
+    # ---------------------------------------------
+
+    "wg-business.conf" =
+      {
+        file = "${mysecrets}/wg-business.conf.age";
+      }
+      // high_security;
+
+    "rclone.conf" =
+      {
+        file = "${mysecrets}/rclone.conf.age";
+      }
+      // high_security;
+
+    "nix-access-tokens" =
+      {
+        file = "${mysecrets}/nix-access-tokens.age";
+      }
+      // high_security;
+
+    # ---------------------------------------------
+    # user can read this file.
+    # ---------------------------------------------
+
+    "ssh-key-romantic" =
+      {
+        file = "${mysecrets}/ssh-key-romantic.age";
+      }
+      // user_readable;

    # alias-for-work
-    "alias-for-work.nushell" = {
-      file = "${mysecrets}/alias-for-work.nushell.age";
-      mode = "0600";
-      owner = username;
-    };
-    "alias-for-work.bash" = {
-      file = "${mysecrets}/alias-for-work.bash.age";
-      mode = "0600";
-      owner = username;
-    };
+    "alias-for-work.nushell" =
+      {
+        file = "${mysecrets}/alias-for-work.nushell.age";
+      }
+      // user_readable;

-    "nix-access-tokens" = {
-      file = "${mysecrets}/nix-access-tokens.age";
-      mode = "0600";
-      owner = username;
-    };
+    "alias-for-work.bash" =
+      {
+        file = "${mysecrets}/alias-for-work.bash.age";
+      }
+      // user_readable;
  };

  # place secrets in /etc/
@@ -64,6 +99,10 @@
      source = config.age.secrets."wg-business.conf".path;
    };

+    "agenix/rclone.conf" = {
+      source = config.age.secrets."rclone.conf".path;
+    };
+
    "agenix/ssh-key-romantic" = {
      source = config.age.secrets."ssh-key-romantic".path;
    };
--- a/secrets/nixos.nix
+++ b/secrets/nixos.nix
@@ -18,51 +18,86 @@
  age.identityPaths = [
    # To decrypt secrets on boot, this key should exists when the system is booting,
    # so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
-    "/persistent/home/${username}/.ssh/juliet-age" # Linux
+    "/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
  ];

-  # Used only by NixOS Modules
-  # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
-  age.secrets."smb-credentials" = {
-    file = "${mysecrets}/smb-credentials.age";
-    owner = username;
-  };
-
-  age.secrets = {
-    "wg-business.conf" = {
-      file = "${mysecrets}/wg-business.conf.age";
-      owner = username;
-    };
-
-    "ssh-key-romantic" = {
-      file = "${mysecrets}/ssh-key-romantic.age";
-      mode = "0600";
-      owner = username;
-    };
-
-    "ryan4yin-gpg-subkeys.priv" = {
-      file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
+  # owner = root
+  age.secrets = let
+    noaccess = {
      mode = "0000";
      owner = "root";
    };
+    high_security = {
+      mode = "0500";
+      owner = "root";
+    };
+    user_readable = {
+      mode = "0500";
+      owner = username;
+    };
+  in {
+    # ---------------------------------------------
+    # no one can read/write this file, even root.
+    # ---------------------------------------------
+
+    "ryan4yin-gpg-subkeys.priv" =
+      {
+        file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
+      }
+      // noaccess;
+
+    # ---------------------------------------------
+    # only root can read this file.
+    # ---------------------------------------------
+
+    "wg-business.conf" =
+      {
+        file = "${mysecrets}/wg-business.conf.age";
+      }
+      // high_security;
+
+    # Used only by NixOS Modules
+    # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
+    "smb-credentials" =
+      {
+        file = "${mysecrets}/smb-credentials.age";
+      }
+      // high_security;
+
+    "rclone.conf" =
+      {
+        file = "${mysecrets}/rclone.conf.age";
+      }
+      // high_security;
+
+    "nix-access-tokens" =
+      {
+        file = "${mysecrets}/nix-access-tokens.age";
+      }
+      // high_security;
+
+    # ---------------------------------------------
+    # user can read this file.
+    # ---------------------------------------------
+
+    "ssh-key-romantic" =
+      {
+        file = "${mysecrets}/ssh-key-romantic.age";
+      }
+      // user_readable;

    # alias-for-work
-    "alias-for-work.nushell" = {
-      file = "${mysecrets}/alias-for-work.nushell.age";
-      mode = "0600";
-      owner = username;
-    };
-    "alias-for-work.bash" = {
-      file = "${mysecrets}/alias-for-work.bash.age";
-      mode = "0600";
-      owner = username;
-    };
+    "alias-for-work.nushell" =
+      {
+        file = "${mysecrets}/alias-for-work.nushell.age";
+      }
+      // user_readable;

-    "nix-access-tokens" = {
-      file = "${mysecrets}/nix-access-tokens.age";
-      mode = "0600";
-      owner = username;
-    };
+    "alias-for-work.bash" =
+      {
+        file = "${mysecrets}/alias-for-work.bash.age";
+      }
+      // user_readable;
  };

  # place secrets in /etc/
@@ -72,6 +107,10 @@
      source = config.age.secrets."wg-business.conf".path;
    };

+    "agenix/rclone.conf" = {
+      source = config.age.secrets."rclone.conf".path;
+    };
+
    "agenix/ssh-key-romantic" = {
      source = config.age.secrets."ssh-key-romantic".path;
      mode = "0600";