starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-02-24 17:04:48 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity
Files
e31ae3f553bdf2eb73f42df1663c125565ded462
nix-config/secrets/README.md
Ryan Yin 45a7973553 feat: add distributed-builds & many hosts 
feat: remove nur & devenv
feat: adjust the structure to make it suitable for servers
feat: add iso/proxmox generators and add docs about it
feat: update ryan's openssh keys & add hashedPassword
feat: add proxmox's nodes into ssh_config, with alias
2023-06-17 09:51:29 +08:00

99 lines
3.1 KiB
Markdown
Raw Blame History

# secrets management
This directory contains my secret files, encrypt by agenix:
- my wireguard configuration files, which is used by `wg-quick`
- github token, used by nix flakes to query and downloads flakes from github
- without this, you may reach out github api rate limit.
- ssh key pairs for my homelab and other servers
- ...
## TODO
- a better way to manage all these secrets, is to used a separate private github repository to store all these secrets, and use it as a flakes input this this repo.
- e.g. <https://github.com/xddxdd/nixos-config/blob/25ae3de/flake.nix#L82>
## Add or Update Secrets
This job is done by `agenix` CLI tool with the `./secrets.nix` file.
Pretend you want to add a new secret file `xxx.age`, then:
1. `cd` to this directory
1. edit `secrets.nix`, add a new entry for `xxx.age`, which defines the
encryption keys and the secret file path, e.g.
```nix
# This file is not imported into your NixOS configuration. It is only used for the agenix CLI.
# agenix use the public keys defined in this file to encrypt the secrets.
# and users can decrypt the secrets by any of the corresponding private keys.
let
# get user's ssh public key by command:
# cat ~/.ssh/id_ed25519.pub
# if you do not have one, you can generate it by command:
# ssh-keygen -t ed25519
ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj";
users = [ ryan ];
# get system's ssh public key by command:
# cat /etc/ssh/ssh_host_ed25519_key.pub
ai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGeXNCazqiqxn8TmbCRjA+pLWrxwenn+CFhizBMP6en root@ai";
systems = [ ai ];
in
{
"./encrypt/xxx.age".publicKeys = users ++ systems;
}
```
2. create and edit the secret file `xxx.age` interactively by command:
```shell
agenix -e ./encrypt/xxx.age
```
3. or you can also encrypt an existing file to `xxx.age` by command:
```shell
cat /path/to/xxx | agenix -e ./encrypt/xxx.age
```
the agenix use `~/.ssh/id_ed25519.pub` or `~/.ssh/id_rsa.pub` as encrypt key by default, you need to pass `--identity /path/to/key` to use a custom `/path/to/key.pub` for enctypt.
## Deploy Secrets
This job is done by `nixos-rebuild` with the `./default.nix` file.
An nixos module exmaple(need to set agenix as flake inputs first...):
```nix
{ config, pkgs, agenix, ... }:
{
imports = [
agenix.nixosModules.default
];
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
];
age.secrets."xxx" = {
# wether secrets are symlinked to age.secrets.<name>.path
symlink = true;
# target path for decrypted file
path = "/etc/xxx/";
# encrypted file path
file = ./encrypt/xxx.age;
mode = "0400";
owner = "root";
group = "root";
};
}
```
`nixos-rebuild` will decrypt the secrets using the private keys defined by argument `age.identityPaths`,
And then symlink the secrets to the path defined by argument `age.secrets.<name>.path`, it defaults to `/etc/secrets`.
NOTE: `age.identityPaths` it defaults to `~/.ssh/id_ed25519` and `~/.ssh/id_rsa`, so you should put your decrypt keys there. if you're deploying to the same machine as you're encrypting from, it should work out of the box.
Reference in New Issue View Git Blame Copy Permalink