diff --git a/.gitignore b/.gitignore index 289bb02..7a84f4b 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ result* /.vms/* !/.vms/.gitkeep +/.keys/*.key diff --git a/.keys/.gitkeep b/.keys/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/.keys/deploy.pub b/.keys/deploy.pub new file mode 100644 index 0000000..318c7cb --- /dev/null +++ b/.keys/deploy.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAzBEJKVa7WFxY5EOqcxP1b+hrJiaPggFzJx8dlFAmug nixfiles-deploy diff --git a/.keys/dev.pub b/.keys/dev.pub new file mode 100644 index 0000000..11f297c --- /dev/null +++ b/.keys/dev.pub @@ -0,0 +1 @@ +age1lm7la8qmu3rx89yvtdqz0m9l3fr96vf4nsqg6tpsv8yskzw7zgtqwt8lmu diff --git a/authorized_keys b/.keys/me.pub similarity index 100% rename from authorized_keys rename to .keys/me.pub diff --git a/devshell/commands.nix b/devshell/commands.nix index 20d3b77..f926a12 100644 --- a/devshell/commands.nix +++ b/devshell/commands.nix @@ -35,6 +35,12 @@ in help = "Remove home-manager flake.nix link"; command = "rm -f ${homeFlake}"; } + { + name = "agenix"; + category = "utilities"; + help = pkgs.agenix.meta.description; + command = ''exec ${pkgs.agenix}/bin/agenix --identity "$PRJ_ROOT/.keys/dev.key" "$@"''; + } { name = "fmt"; diff --git a/devshell/default.nix b/devshell/default.nix index 23d94e1..eaea123 100644 --- a/devshell/default.nix +++ b/devshell/default.nix @@ -18,7 +18,7 @@ in packages = with pkgs; [ coreutils nixVersions.stable - agenix + rage deploy-rs.deploy-rs home-manager ]; diff --git a/flake.nix b/flake.nix index f2205ec..6e7fcd0 100644 --- a/flake.nix +++ b/flake.nix @@ -107,6 +107,8 @@ inherit lib pkgsFlakes hmFlakes inputs; pkgs' = configPkgs'; }; + + nixos.secretsPath = ./secrets; } # Not an internal part of the module system apparently, but it doesn't have any dependencies other than lib @@ -120,9 +122,8 @@ in # Platform independent stuff { - lib = lib.my; nixpkgs = pkgs'; - inherit nixfiles; + inherit lib nixfiles; nixosModules = nixfiles.config.nixos.modules; homeModules = nixfiles.config.home-manager.modules; diff --git a/home-manager/modules/common.nix b/home-manager/modules/common.nix index 0017102..08d6f62 100644 --- a/home-manager/modules/common.nix +++ b/home-manager/modules/common.nix @@ -27,7 +27,7 @@ in ssh = { authKeys = { literal = mkOpt' (listOf singleLineStr) [ ] "List of OpenSSH keys to allow"; - files = mkOpt' (listOf str) [ ] "List of OpenSSH key files to allow"; + files = mkOpt' (listOf path) [ ] "List of OpenSSH key files to allow"; }; }; }; @@ -226,7 +226,7 @@ in }) (mkIf config.my.isStandalone { my = { - ssh.authKeys.files = [ lib.my.authorizedKeys ]; + ssh.authKeys.files = [ lib.my.sshKeyFiles.me ]; }; fonts.fontconfig.enable = true; diff --git a/lib.nix b/lib.nix index 9f4845e..bd58c19 100644 --- a/lib.nix +++ b/lib.nix @@ -132,5 +132,8 @@ rec { filterOpts = filterAttrsRecursive (_: v: v != null); }; - authorizedKeys = toString ./authorized_keys; + sshKeyFiles = { + me = .keys/me.pub; + deploy = .keys/deploy.key; + }; } diff --git a/nixos/boxes/colony.nix b/nixos/boxes/colony.nix index de9040f..ae52d60 100644 --- a/nixos/boxes/colony.nix +++ b/nixos/boxes/colony.nix @@ -13,6 +13,11 @@ imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; my = { + secrets = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkqdN5t3UKwrNOOPKlbnG1WYhnkV5H9luAzMotr8SbT"; + files."test.txt" = {}; + }; + firewall = { trustedInterfaces = [ "blah" ]; nat = { diff --git a/nixos/default.nix b/nixos/default.nix index 04b2230..4574507 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -52,6 +52,7 @@ let ]; _module.args = { + inherit (cfg) secretsPath; pkgs' = allPkgs; }; @@ -121,6 +122,7 @@ in options = with lib.types; { nixos = { + secretsPath = mkOpt' path null "Path to encrypted secret files."; modules = mkOpt' (attrsOf commonOpts.moduleType) { } "NixOS modules to be exported by nixfiles."; systems = mkOpt' (attrsOf (submodule systemOpts)) { } "NixOS systems to be exported by nixfiles."; }; diff --git a/nixos/installer.nix b/nixos/installer.nix index 1ba6bcf..d852b61 100644 --- a/nixos/installer.nix +++ b/nixos/installer.nix @@ -33,7 +33,7 @@ environment.sessionVariables = { INSTALL_ROOT = installRoot; }; - users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.authorizedKeys ]; + users.users.root.openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.deploy ]; home-manager.users.root = { programs = { starship.settings = { diff --git a/nixos/modules/_list.nix b/nixos/modules/_list.nix index da24a82..d4f4f18 100644 --- a/nixos/modules/_list.nix +++ b/nixos/modules/_list.nix @@ -8,5 +8,6 @@ firewall = ./firewall.nix; server = ./server.nix; deploy-rs = ./deploy-rs.nix; + secrets = ./secrets.nix; }; } diff --git a/nixos/modules/deploy-rs.nix b/nixos/modules/deploy-rs.nix index 4c425d5..13979ea 100644 --- a/nixos/modules/deploy-rs.nix +++ b/nixos/modules/deploy-rs.nix @@ -10,7 +10,7 @@ in options.my.deploy = with lib.types; { authorizedKeys = { keys = mkOpt' (listOf singleLineStr) [ ] "SSH public keys to add to the default deployment user."; - keyFiles = mkOpt' (listOf str) [ ] "SSH public key files to add to the default deployment user."; + keyFiles = mkOpt' (listOf path) [ lib.my.sshKeyFiles.deploy ] "SSH public key files to add to the default deployment user."; }; enable = mkBoolOpt' true "Whether to expose deploy-rs configuration for this system."; diff --git a/nixos/modules/secrets.nix b/nixos/modules/secrets.nix new file mode 100644 index 0000000..e03fcef --- /dev/null +++ b/nixos/modules/secrets.nix @@ -0,0 +1,17 @@ +{ lib, config, secretsPath, ... }: +let + inherit (builtins) mapAttrs; + inherit (lib.my) mkOpt'; + + cfg = config.my.secrets; +in +{ + options.my.secrets = with lib.types; { + key = mkOpt' (nullOr str) null "Public key that secrets for this system should be encrypted for."; + files = mkOpt' (attrsOf unspecified) { } "Secrets to decrypt with agenix."; + }; + + config.age.secrets = mapAttrs (f: opts: { + file = "${secretsPath}/${f}.age"; + } // opts) cfg.files; +} diff --git a/nixos/modules/user.nix b/nixos/modules/user.nix index 3c0b9e2..38217a3 100644 --- a/nixos/modules/user.nix +++ b/nixos/modules/user.nix @@ -35,14 +35,12 @@ in shell = let shell = cfg.homeConfig.my.shell; in mkIf (shell != null) (mkDefault' shell); - openssh.authorizedKeys.keyFiles = [ lib.my.authorizedKeys ]; + openssh.authorizedKeys.keyFiles = [ lib.my.sshKeyFiles.me ]; }; # In order for this option to evaluate on its own, home-manager expects the `name` (which is derived from the # parent attr name) to be the users name, aka `home-manager.users.` homeConfig = { _module.args.name = lib.mkForce user'.name; }; }; - - deploy.authorizedKeys = mkDefault user'.openssh.authorizedKeys; }; # mkAliasDefinitions will copy the unmerged defintions to allow the upstream submodule to deal with diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..99ad933 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,24 @@ +let + self = getFlake (toString ./.); + inherit (self) lib; + + inherit (builtins) mapAttrs attrValues readFile getFlake; + inherit (lib) optional flatten zipAttrsWith nameValuePair mapAttrs'; + + secretPath = p: "secrets/${p}.age"; + + defaultKeys = [ + (readFile .keys/dev.pub) + ]; + secretKeys = + zipAttrsWith + (_: keys: flatten (keys ++ defaultKeys)) + (map + (c: let cfg = c.config.my.secrets; in mapAttrs' + (f: _: nameValuePair + (secretPath f) + (optional (cfg.key != null) cfg.key)) + cfg.files) + (attrValues self.nixosConfigurations)); +in +mapAttrs (_: keys: { publicKeys = keys; }) secretKeys diff --git a/secrets/test.txt.age b/secrets/test.txt.age new file mode 100644 index 0000000..28fbc1d Binary files /dev/null and b/secrets/test.txt.age differ