dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos: Fix secrets in containers

Browse Source
This commit is contained in:
Jack O'Sullivan 2022-04-18 15:34:08 +01:00
parent a817c7e23a
commit 91e3e55077
5 changed files with 32 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
nixos/containers/vaultwarden.nix
View File

@ -17,6 +17,7 @@
server.enable = true; server.enable = true;
secrets = { secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMHoWhafCkLVggsO24fFWm3nmkY5t23GHbBafBVGijbQ";
files."${vwSecrets}" = {}; files."${vwSecrets}" = {};
}; };

6
nixos/modules/containers.nix
View File

@ -245,6 +245,12 @@ in
(u: ''install -d -o ${u.name} -g ${u.group} /nix/var/nix/{profiles,gcroots}/per-user/"${u.name}"'') users; (u: ''install -d -o ${u.name} -g ${u.group} /nix/var/nix/{profiles,gcroots}/per-user/"${u.name}"'') users;
deps = [ "users" "groups" ]; deps = [ "users" "groups" ];
}; };
# age requires all keys to at least exist, even if they're not going to be used
ensureDevKey.text =
''
[ ! -e "${devVMKeyPath}" ] && touch "${devVMKeyPath}"
'';
}; };
networking = { networking = {

16
nixos/modules/secrets.nix
View File

@ -1,4 +1,4 @@
{ lib, config, secretsPath, ... }: { lib, pkgs, config, secretsPath, ... }:
let let
inherit (builtins) mapAttrs; inherit (builtins) mapAttrs;
inherit (lib) mkMerge mkIf; inherit (lib) mkMerge mkIf;
@ -15,10 +15,22 @@ in
config = mkMerge [ config = mkMerge [
{ {
age.secrets = mapAttrs (f: opts: { age = {
secrets = mapAttrs (f: opts: {
file = "${secretsPath}/${f}.age"; file = "${secretsPath}/${f}.age";
} // opts) cfg.files; } // opts) cfg.files;
# agenix sets this as a default but adding any custom extras will _replace_ the list (different priority)
identityPaths =
mkIf config.services.openssh.enable
(map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys));
};
} }
(mkIf (config.age.secrets != { }) {
system.activationScripts.agenixMountSecrets.deps = mkIf (config.my.tmproot.persistence.dir != null) [
# The key used to decrypt is not going to exist!
"persist-files"
];
})
(mkIf config.my.build.isDevVM { (mkIf config.my.build.isDevVM {
age.identityPaths = [ cfg.vmKeyPath ]; age.identityPaths = [ cfg.vmKeyPath ];
}) })

BIN
secrets/test.txt.age
View File

Binary file not shown.

16
secrets/vaultwarden.env.age
View File

@ -1,8 +1,10 @@
age-encryption.org/v1 age-encryption.org/v1
-> X25519 Lm6m9mqSeFYvQ3bo73i9KrAzADgWLRcxmUg31JwqgWw -> ssh-ed25519 LLxJog 98Cn1x2SC2HTaIxiz3YOig69A4M9EdyzgFIuLVVksWs
FXbd6LUIA9OlCiMb1Us3T3/RkbQbxWD3pZ77/y3UuDM TQfDxjzQd2b6QxXFX+erhFr+rXueFM/0OiuqLlLIDNo
-> C3L/E-grease -7Y+*Gh -> X25519 9X4Sj6LOvqid3yw/K4U4STf0+49sNr7mLRgO5gPJWkE
UEBPiPpYXfbZltNeUQrX4ahsDakgciN6sSLLHkPsX69oGtLuGRQeoDC6tvEtG2Ws tHci1YGnwAYY0POj7fCRpZoXMlF2GJ3+tD8+18RVG3A
wJEX57JORoAWfZsUtF0Oj+hN++ANcCm1andG45Yf -> @<\}-grease U= <+9u} SWZKY{
--- 1Pr1sAqpDFUZBGe97NYMyN3AEgv/EJgBl9DK4Ga93oc 1MbcuWlKJ2vXC1ZHgSzSxTZUr3rvMs5c2IEMM60mFLmwWkfGSOO1z/7ldsUK7cSe
•Ö”0˜ü`LVoÖ\åÃoÐ¥ëÜyÍýmè ÃÃn^Ä×ûär|Q@†µáq{ÄÖ…f¬ƒéîÏ<){ucÈu<75>ÞÅÆH¾ð<C2BE>»!U+7FYhh°W¶ÅkˆÐ;RO¶ abf7c/qMFE/92zIiMScnjwvIub6riV+llgJnMi26cn9IAPPcHA
--- TkbUNAVf3Xq9oEpQIK/db8uVTMc7DlUIXE6If+IQbyE
fK“¦&E÷ϲª43&j Ó×äATÃêÜâîk‰ ˆ¬AQ }FÊëÇáúÙ}èd±žškd:ó}@S{fºIúA@{X ÝÍpÛÞeÖ¾ç‹}_y*fü¯Ó/⻜mñžÙ ©õ