diff --git a/nixos/containers/vaultwarden.nix b/nixos/containers/vaultwarden.nix index 8c3c8e4..2d91de1 100644 --- a/nixos/containers/vaultwarden.nix +++ b/nixos/containers/vaultwarden.nix @@ -17,6 +17,7 @@ server.enable = true; secrets = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMHoWhafCkLVggsO24fFWm3nmkY5t23GHbBafBVGijbQ"; files."${vwSecrets}" = {}; }; diff --git a/nixos/modules/containers.nix b/nixos/modules/containers.nix index 53a88ff..9b49826 100644 --- a/nixos/modules/containers.nix +++ b/nixos/modules/containers.nix @@ -245,6 +245,12 @@ in (u: ''install -d -o ${u.name} -g ${u.group} /nix/var/nix/{profiles,gcroots}/per-user/"${u.name}"'') users; deps = [ "users" "groups" ]; }; + + # age requires all keys to at least exist, even if they're not going to be used + ensureDevKey.text = + '' + [ ! -e "${devVMKeyPath}" ] && touch "${devVMKeyPath}" + ''; }; networking = { diff --git a/nixos/modules/secrets.nix b/nixos/modules/secrets.nix index d6b4d2c..428b9c5 100644 --- a/nixos/modules/secrets.nix +++ b/nixos/modules/secrets.nix @@ -1,4 +1,4 @@ -{ lib, config, secretsPath, ... }: +{ lib, pkgs, config, secretsPath, ... }: let inherit (builtins) mapAttrs; inherit (lib) mkMerge mkIf; @@ -15,10 +15,22 @@ in config = mkMerge [ { - age.secrets = mapAttrs (f: opts: { - file = "${secretsPath}/${f}.age"; - } // opts) cfg.files; + age = { + secrets = mapAttrs (f: opts: { + file = "${secretsPath}/${f}.age"; + } // opts) cfg.files; + # agenix sets this as a default but adding any custom extras will _replace_ the list (different priority) + identityPaths = + mkIf config.services.openssh.enable + (map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)); + }; } + (mkIf (config.age.secrets != { }) { + system.activationScripts.agenixMountSecrets.deps = mkIf (config.my.tmproot.persistence.dir != null) [ + # The key used to decrypt is not going to exist! + "persist-files" + ]; + }) (mkIf config.my.build.isDevVM { age.identityPaths = [ cfg.vmKeyPath ]; }) diff --git a/secrets/test.txt.age b/secrets/test.txt.age index 28fbc1d..f3bd459 100644 Binary files a/secrets/test.txt.age and b/secrets/test.txt.age differ diff --git a/secrets/vaultwarden.env.age b/secrets/vaultwarden.env.age index 7205bbd..86cc13f 100644 --- a/secrets/vaultwarden.env.age +++ b/secrets/vaultwarden.env.age @@ -1,8 +1,10 @@ age-encryption.org/v1 --> X25519 Lm6m9mqSeFYvQ3bo73i9KrAzADgWLRcxmUg31JwqgWw -FXbd6LUIA9OlCiMb1Us3T3/RkbQbxWD3pZ77/y3UuDM --> C3L/E-grease -7Y+*Gh -UEBPiPpYXfbZltNeUQrX4ahsDakgciN6sSLLHkPsX69oGtLuGRQeoDC6tvEtG2Ws -wJEX57JORoAWfZsUtF0Oj+hN++ANcCm1andG45Yf ---- 1Pr1sAqpDFUZBGe97NYMyN3AEgv/EJgBl9DK4Ga93oc -•Ö”’0˜ü`LVoÖ\åÃoÐ¥ëÜyÍýmè ÃÃn^Ä×ûär|Q@†µáq{ÄÖ…f¬ƒéîÏ‹<){ucÈu–Þ–ÅÆH¾ð»!U+7FYhh°W¶ÅkˆÐ;RO¶ \ No newline at end of file +-> ssh-ed25519 LLxJog 98Cn1x2SC2HTaIxiz3YOig69A4M9EdyzgFIuLVVksWs +TQfDxjzQd2b6QxXFX+erhFr+rXueFM/0OiuqLlLIDNo +-> X25519 9X4Sj6LOvqid3yw/K4U4STf0+49sNr7mLRgO5gPJWkE +tHci1YGnwAYY0POj7fCRpZoXMlF2GJ3+tD8+18RVG3A +-> @<\}-grease U= <+9u} SWZKY{ +1MbcuWlKJ2vXC1ZHgSzSxTZUr3rvMs5c2IEMM60mFLmwWkfGSOO1z/7ldsUK7cSe +abf7c/qMFE/92zIiMScnjwvIub6riV+llgJnMi26cn9IAPPcHA +--- TkbUNAVf3Xq9oEpQIK/db8uVTMc7DlUIXE6If+IQbyE +fK“¦&E÷ϲª43&j Ó×äATÃêÜâîk‰ ˆ¬AQ }FÊëÇáúÙ}èd±žškdpŽ:ó}@S{fºIúA@{X ÝÍpÛÞeÖ¾ç‹}_y*fü¯Ó/⻜mñžÙ ©õ \ No newline at end of file