feat: agenix - use the system's host ssh key for cryption

This commit is contained in:
Ryan Yin
2024-01-26 20:52:16 +08:00
parent d1cdddc9ca
commit 7f72a0612b
5 changed files with 152 additions and 73 deletions
Generated
+3 -3
View File
@@ -515,10 +515,10 @@
"mysecrets": { "mysecrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1706264692, "lastModified": 1706277557,
"narHash": "sha256-xgYP84Knm2JmEYttJ1N3DfJBTNNJ82klRmBtzlZLuog=", "narHash": "sha256-eDVEacTs1ifdTR6DZGDb9RoRR0V4dAZCK7SBWtLB+Zw=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "17fdfb68739c474d0cb25906c77b33553b033a6a", "rev": "75d7db5fca64885cac9dc58ba5fb1c3498ecb96e",
"shallow": true, "shallow": true,
"type": "git", "type": "git",
"url": "ssh://git@github.com/ryan4yin/nix-secrets.git" "url": "ssh://git@github.com/ryan4yin/nix-secrets.git"
+1 -2
View File
@@ -21,8 +21,7 @@
enable = true; enable = true;
extraConfig = '' extraConfig = ''
Host github.com Host github.com
# github is controlled by gluttony~ IdentityFile ~/.ssh/idols-ai
IdentityFile ~/.ssh/gluttony
# Specifies that ssh should only use the identity file explicitly configured above # Specifies that ssh should only use the identity file explicitly configured above
# required to prevent sending default identity files first. # required to prevent sending default identity files first.
IdentitiesOnly yes IdentitiesOnly yes
+2
View File
@@ -26,6 +26,8 @@
# 2. Or just use hardware security keys like Yubikey/CanoKey. # 2. Or just use hardware security keys like Yubikey/CanoKey.
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoa9uEI/gR5+klqTQwvCgD6CD5vT5iD9YCNx2xNrH3B ryan@fern" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoa9uEI/gR5+klqTQwvCgD6CD5vT5iD9YCNx2xNrH3B ryan@fern"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwZ9MdotnyhxIJrI4gmVshExHiZOx+FGFhcW7BaYkfR ryan@harmonica"
""
]; ];
}; };
+69 -30
View File
@@ -16,44 +16,79 @@
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents! # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
age.identityPaths = [ age.identityPaths = [
"/Users/${username}/.ssh/juliet-age" # macOS # Generate manually via `sudo ssh-keygen -A`
"/etc/ssh/ssh_host_ed25519_key" # macOS, using the host key for decryption
]; ];
age.secrets = { # owner = root
"wg-business.conf" = { age.secrets = let
file = "${mysecrets}/wg-business.conf.age"; noaccess = {
owner = username;
};
"ssh-key-romantic" = {
file = "${mysecrets}/ssh-key-romantic.age";
mode = "0600";
owner = username;
};
"ryan4yin-gpg-subkeys.priv" = {
file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
mode = "0000"; mode = "0000";
owner = "root"; owner = "root";
}; };
high_security = {
mode = "0500";
owner = "root";
};
user_readable = {
mode = "0500";
owner = username;
};
in {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
"ryan4yin-gpg-subkeys.priv" =
{
file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
}
// noaccess;
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
// high_security;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# alias-for-work # alias-for-work
"alias-for-work.nushell" = { "alias-for-work.nushell" =
file = "${mysecrets}/alias-for-work.nushell.age"; {
mode = "0600"; file = "${mysecrets}/alias-for-work.nushell.age";
owner = username; }
}; // user_readable;
"alias-for-work.bash" = {
file = "${mysecrets}/alias-for-work.bash.age";
mode = "0600";
owner = username;
};
"nix-access-tokens" = { "alias-for-work.bash" =
file = "${mysecrets}/nix-access-tokens.age"; {
mode = "0600"; file = "${mysecrets}/alias-for-work.bash.age";
owner = username; }
}; // user_readable;
}; };
# place secrets in /etc/ # place secrets in /etc/
@@ -64,6 +99,10 @@
source = config.age.secrets."wg-business.conf".path; source = config.age.secrets."wg-business.conf".path;
}; };
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
"agenix/ssh-key-romantic" = { "agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path; source = config.age.secrets."ssh-key-romantic".path;
}; };
+76 -37
View File
@@ -18,51 +18,86 @@
age.identityPaths = [ age.identityPaths = [
# To decrypt secrets on boot, this key should exists when the system is booting, # To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence. # so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
"/persistent/home/${username}/.ssh/juliet-age" # Linux "/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
]; ];
# Used only by NixOS Modules # owner = root
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix age.secrets = let
age.secrets."smb-credentials" = { noaccess = {
file = "${mysecrets}/smb-credentials.age";
owner = username;
};
age.secrets = {
"wg-business.conf" = {
file = "${mysecrets}/wg-business.conf.age";
owner = username;
};
"ssh-key-romantic" = {
file = "${mysecrets}/ssh-key-romantic.age";
mode = "0600";
owner = username;
};
"ryan4yin-gpg-subkeys.priv" = {
file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
mode = "0000"; mode = "0000";
owner = "root"; owner = "root";
}; };
high_security = {
mode = "0500";
owner = "root";
};
user_readable = {
mode = "0500";
owner = username;
};
in {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
"ryan4yin-gpg-subkeys.priv" =
{
file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
}
// noaccess;
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
"smb-credentials" =
{
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
// high_security;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# alias-for-work # alias-for-work
"alias-for-work.nushell" = { "alias-for-work.nushell" =
file = "${mysecrets}/alias-for-work.nushell.age"; {
mode = "0600"; file = "${mysecrets}/alias-for-work.nushell.age";
owner = username; }
}; // user_readable;
"alias-for-work.bash" = {
file = "${mysecrets}/alias-for-work.bash.age";
mode = "0600";
owner = username;
};
"nix-access-tokens" = { "alias-for-work.bash" =
file = "${mysecrets}/nix-access-tokens.age"; {
mode = "0600"; file = "${mysecrets}/alias-for-work.bash.age";
owner = username; }
}; // user_readable;
}; };
# place secrets in /etc/ # place secrets in /etc/
@@ -72,6 +107,10 @@
source = config.age.secrets."wg-business.conf".path; source = config.age.secrets."wg-business.conf".path;
}; };
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
"agenix/ssh-key-romantic" = { "agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path; source = config.age.secrets."ssh-key-romantic".path;
mode = "0600"; mode = "0600";