mirror of
https://github.com/ryan4yin/nix-config.git
synced 2026-07-14 16:42:43 +02:00
feat: agenix - use the system's host ssh key for cryption
This commit is contained in:
Generated
+3
-3
@@ -515,10 +515,10 @@
|
|||||||
"mysecrets": {
|
"mysecrets": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1706264692,
|
"lastModified": 1706277557,
|
||||||
"narHash": "sha256-xgYP84Knm2JmEYttJ1N3DfJBTNNJ82klRmBtzlZLuog=",
|
"narHash": "sha256-eDVEacTs1ifdTR6DZGDb9RoRR0V4dAZCK7SBWtLB+Zw=",
|
||||||
"ref": "refs/heads/main",
|
"ref": "refs/heads/main",
|
||||||
"rev": "17fdfb68739c474d0cb25906c77b33553b033a6a",
|
"rev": "75d7db5fca64885cac9dc58ba5fb1c3498ecb96e",
|
||||||
"shallow": true,
|
"shallow": true,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "ssh://git@github.com/ryan4yin/nix-secrets.git"
|
"url": "ssh://git@github.com/ryan4yin/nix-secrets.git"
|
||||||
|
|||||||
@@ -21,8 +21,7 @@
|
|||||||
enable = true;
|
enable = true;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
Host github.com
|
Host github.com
|
||||||
# github is controlled by gluttony~
|
IdentityFile ~/.ssh/idols-ai
|
||||||
IdentityFile ~/.ssh/gluttony
|
|
||||||
# Specifies that ssh should only use the identity file explicitly configured above
|
# Specifies that ssh should only use the identity file explicitly configured above
|
||||||
# required to prevent sending default identity files first.
|
# required to prevent sending default identity files first.
|
||||||
IdentitiesOnly yes
|
IdentitiesOnly yes
|
||||||
|
|||||||
@@ -26,6 +26,8 @@
|
|||||||
# 2. Or just use hardware security keys like Yubikey/CanoKey.
|
# 2. Or just use hardware security keys like Yubikey/CanoKey.
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoa9uEI/gR5+klqTQwvCgD6CD5vT5iD9YCNx2xNrH3B ryan@fern"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoa9uEI/gR5+klqTQwvCgD6CD5vT5iD9YCNx2xNrH3B ryan@fern"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwZ9MdotnyhxIJrI4gmVshExHiZOx+FGFhcW7BaYkfR ryan@harmonica"
|
||||||
|
""
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
+69
-30
@@ -16,44 +16,79 @@
|
|||||||
|
|
||||||
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
|
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
|
||||||
age.identityPaths = [
|
age.identityPaths = [
|
||||||
"/Users/${username}/.ssh/juliet-age" # macOS
|
# Generate manually via `sudo ssh-keygen -A`
|
||||||
|
"/etc/ssh/ssh_host_ed25519_key" # macOS, using the host key for decryption
|
||||||
];
|
];
|
||||||
|
|
||||||
age.secrets = {
|
# owner = root
|
||||||
"wg-business.conf" = {
|
age.secrets = let
|
||||||
file = "${mysecrets}/wg-business.conf.age";
|
noaccess = {
|
||||||
owner = username;
|
|
||||||
};
|
|
||||||
|
|
||||||
"ssh-key-romantic" = {
|
|
||||||
file = "${mysecrets}/ssh-key-romantic.age";
|
|
||||||
mode = "0600";
|
|
||||||
owner = username;
|
|
||||||
};
|
|
||||||
|
|
||||||
"ryan4yin-gpg-subkeys.priv" = {
|
|
||||||
file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
|
|
||||||
mode = "0000";
|
mode = "0000";
|
||||||
owner = "root";
|
owner = "root";
|
||||||
};
|
};
|
||||||
|
high_security = {
|
||||||
|
mode = "0500";
|
||||||
|
owner = "root";
|
||||||
|
};
|
||||||
|
user_readable = {
|
||||||
|
mode = "0500";
|
||||||
|
owner = username;
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
# ---------------------------------------------
|
||||||
|
# no one can read/write this file, even root.
|
||||||
|
# ---------------------------------------------
|
||||||
|
|
||||||
|
"ryan4yin-gpg-subkeys.priv" =
|
||||||
|
{
|
||||||
|
file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
|
||||||
|
}
|
||||||
|
// noaccess;
|
||||||
|
|
||||||
|
# ---------------------------------------------
|
||||||
|
# only root can read this file.
|
||||||
|
# ---------------------------------------------
|
||||||
|
|
||||||
|
"wg-business.conf" =
|
||||||
|
{
|
||||||
|
file = "${mysecrets}/wg-business.conf.age";
|
||||||
|
}
|
||||||
|
// high_security;
|
||||||
|
|
||||||
|
"rclone.conf" =
|
||||||
|
{
|
||||||
|
file = "${mysecrets}/rclone.conf.age";
|
||||||
|
}
|
||||||
|
// high_security;
|
||||||
|
|
||||||
|
"nix-access-tokens" =
|
||||||
|
{
|
||||||
|
file = "${mysecrets}/nix-access-tokens.age";
|
||||||
|
}
|
||||||
|
// high_security;
|
||||||
|
|
||||||
|
# ---------------------------------------------
|
||||||
|
# user can read this file.
|
||||||
|
# ---------------------------------------------
|
||||||
|
|
||||||
|
"ssh-key-romantic" =
|
||||||
|
{
|
||||||
|
file = "${mysecrets}/ssh-key-romantic.age";
|
||||||
|
}
|
||||||
|
// user_readable;
|
||||||
|
|
||||||
# alias-for-work
|
# alias-for-work
|
||||||
"alias-for-work.nushell" = {
|
"alias-for-work.nushell" =
|
||||||
file = "${mysecrets}/alias-for-work.nushell.age";
|
{
|
||||||
mode = "0600";
|
file = "${mysecrets}/alias-for-work.nushell.age";
|
||||||
owner = username;
|
}
|
||||||
};
|
// user_readable;
|
||||||
"alias-for-work.bash" = {
|
|
||||||
file = "${mysecrets}/alias-for-work.bash.age";
|
|
||||||
mode = "0600";
|
|
||||||
owner = username;
|
|
||||||
};
|
|
||||||
|
|
||||||
"nix-access-tokens" = {
|
"alias-for-work.bash" =
|
||||||
file = "${mysecrets}/nix-access-tokens.age";
|
{
|
||||||
mode = "0600";
|
file = "${mysecrets}/alias-for-work.bash.age";
|
||||||
owner = username;
|
}
|
||||||
};
|
// user_readable;
|
||||||
};
|
};
|
||||||
|
|
||||||
# place secrets in /etc/
|
# place secrets in /etc/
|
||||||
@@ -64,6 +99,10 @@
|
|||||||
source = config.age.secrets."wg-business.conf".path;
|
source = config.age.secrets."wg-business.conf".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"agenix/rclone.conf" = {
|
||||||
|
source = config.age.secrets."rclone.conf".path;
|
||||||
|
};
|
||||||
|
|
||||||
"agenix/ssh-key-romantic" = {
|
"agenix/ssh-key-romantic" = {
|
||||||
source = config.age.secrets."ssh-key-romantic".path;
|
source = config.age.secrets."ssh-key-romantic".path;
|
||||||
};
|
};
|
||||||
|
|||||||
+76
-37
@@ -18,51 +18,86 @@
|
|||||||
age.identityPaths = [
|
age.identityPaths = [
|
||||||
# To decrypt secrets on boot, this key should exists when the system is booting,
|
# To decrypt secrets on boot, this key should exists when the system is booting,
|
||||||
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
|
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
|
||||||
"/persistent/home/${username}/.ssh/juliet-age" # Linux
|
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
|
||||||
];
|
];
|
||||||
|
|
||||||
# Used only by NixOS Modules
|
# owner = root
|
||||||
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
|
age.secrets = let
|
||||||
age.secrets."smb-credentials" = {
|
noaccess = {
|
||||||
file = "${mysecrets}/smb-credentials.age";
|
|
||||||
owner = username;
|
|
||||||
};
|
|
||||||
|
|
||||||
age.secrets = {
|
|
||||||
"wg-business.conf" = {
|
|
||||||
file = "${mysecrets}/wg-business.conf.age";
|
|
||||||
owner = username;
|
|
||||||
};
|
|
||||||
|
|
||||||
"ssh-key-romantic" = {
|
|
||||||
file = "${mysecrets}/ssh-key-romantic.age";
|
|
||||||
mode = "0600";
|
|
||||||
owner = username;
|
|
||||||
};
|
|
||||||
|
|
||||||
"ryan4yin-gpg-subkeys.priv" = {
|
|
||||||
file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
|
|
||||||
mode = "0000";
|
mode = "0000";
|
||||||
owner = "root";
|
owner = "root";
|
||||||
};
|
};
|
||||||
|
high_security = {
|
||||||
|
mode = "0500";
|
||||||
|
owner = "root";
|
||||||
|
};
|
||||||
|
user_readable = {
|
||||||
|
mode = "0500";
|
||||||
|
owner = username;
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
# ---------------------------------------------
|
||||||
|
# no one can read/write this file, even root.
|
||||||
|
# ---------------------------------------------
|
||||||
|
|
||||||
|
"ryan4yin-gpg-subkeys.priv" =
|
||||||
|
{
|
||||||
|
file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
|
||||||
|
}
|
||||||
|
// noaccess;
|
||||||
|
|
||||||
|
# ---------------------------------------------
|
||||||
|
# only root can read this file.
|
||||||
|
# ---------------------------------------------
|
||||||
|
|
||||||
|
"wg-business.conf" =
|
||||||
|
{
|
||||||
|
file = "${mysecrets}/wg-business.conf.age";
|
||||||
|
}
|
||||||
|
// high_security;
|
||||||
|
|
||||||
|
# Used only by NixOS Modules
|
||||||
|
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
|
||||||
|
"smb-credentials" =
|
||||||
|
{
|
||||||
|
file = "${mysecrets}/smb-credentials.age";
|
||||||
|
}
|
||||||
|
// high_security;
|
||||||
|
|
||||||
|
"rclone.conf" =
|
||||||
|
{
|
||||||
|
file = "${mysecrets}/rclone.conf.age";
|
||||||
|
}
|
||||||
|
// high_security;
|
||||||
|
|
||||||
|
"nix-access-tokens" =
|
||||||
|
{
|
||||||
|
file = "${mysecrets}/nix-access-tokens.age";
|
||||||
|
}
|
||||||
|
// high_security;
|
||||||
|
|
||||||
|
# ---------------------------------------------
|
||||||
|
# user can read this file.
|
||||||
|
# ---------------------------------------------
|
||||||
|
|
||||||
|
"ssh-key-romantic" =
|
||||||
|
{
|
||||||
|
file = "${mysecrets}/ssh-key-romantic.age";
|
||||||
|
}
|
||||||
|
// user_readable;
|
||||||
|
|
||||||
# alias-for-work
|
# alias-for-work
|
||||||
"alias-for-work.nushell" = {
|
"alias-for-work.nushell" =
|
||||||
file = "${mysecrets}/alias-for-work.nushell.age";
|
{
|
||||||
mode = "0600";
|
file = "${mysecrets}/alias-for-work.nushell.age";
|
||||||
owner = username;
|
}
|
||||||
};
|
// user_readable;
|
||||||
"alias-for-work.bash" = {
|
|
||||||
file = "${mysecrets}/alias-for-work.bash.age";
|
|
||||||
mode = "0600";
|
|
||||||
owner = username;
|
|
||||||
};
|
|
||||||
|
|
||||||
"nix-access-tokens" = {
|
"alias-for-work.bash" =
|
||||||
file = "${mysecrets}/nix-access-tokens.age";
|
{
|
||||||
mode = "0600";
|
file = "${mysecrets}/alias-for-work.bash.age";
|
||||||
owner = username;
|
}
|
||||||
};
|
// user_readable;
|
||||||
};
|
};
|
||||||
|
|
||||||
# place secrets in /etc/
|
# place secrets in /etc/
|
||||||
@@ -72,6 +107,10 @@
|
|||||||
source = config.age.secrets."wg-business.conf".path;
|
source = config.age.secrets."wg-business.conf".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"agenix/rclone.conf" = {
|
||||||
|
source = config.age.secrets."rclone.conf".path;
|
||||||
|
};
|
||||||
|
|
||||||
"agenix/ssh-key-romantic" = {
|
"agenix/ssh-key-romantic" = {
|
||||||
source = config.age.secrets."ssh-key-romantic".path;
|
source = config.age.secrets."ssh-key-romantic".path;
|
||||||
mode = "0600";
|
mode = "0600";
|
||||||
|
|||||||
Reference in New Issue
Block a user