feat: Add agenix-rekey

Agenix-rekey is a project which uses rage to encrypt secrets for hosts
where they're needed. We'll need it for a future commit with buildbot

.reuse/dep5

@@ -1,10 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: Auxolotl Infrastructure
-Upstream-Contact: Auxolotl Infrastructure Committee <infrastructure@auxolotl.org>
-Source: https://auxolotl.org
-
-# Sample paragraph, commented out:
-#
-# Files: src/*
-# Copyright: $YEAR $NAME <$CONTACT>
-# License: ...

REUSE.toml

@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+#
+# SPDX-License-Identifier: CC0-1.0
+
+version = 1
+
+SPDX-PackageName = "Auxolotl Infrastructure"
+SPDX-PackageSupplier = "Auxolotl Infrastructure Committee <infrastructure@auxolotl.org>"
+SPDX-PackageDownloadLocation = "https://auxolotl.org"
+
+[[annotations]]
+path = "secrets/generated/**"
+SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
+SPDX-License-Identifier = "CC0-1.0"
+
+[[annotations]]
+path = "secrets/rekeyed/**"
+SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
+SPDX-License-Identifier = "CC0-1.0"
+
+[[annotations]]
+path = "**/*.age"
+SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
+SPDX-License-Identifier = "CC0-1.0"

flake.nix

@@ -14,6 +14,13 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    agenix.url = "github:ryantm/agenix";
+
+    agenix-rekey = {
+      url = "github:oddlama/agenix-rekey";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     auxolotl-website = {
       url = "git+https://git.auxolotl.org/auxolotl/website";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -37,8 +44,14 @@
     };
   in
     lib.mkFlake {
-      overlays = with inputs; [
-        auxolotl-website.overlays.default
+      overlays = [
+        inputs.auxolotl-website.overlays.default
+        inputs.agenix-rekey.overlays.default
+      ];
+
+      systems.modules.nixos = [
+        inputs.agenix.nixosModules.default
+        inputs.agenix-rekey.nixosModules.default
       ];
 
       deploy = lib.mkDeploy {
@@ -49,6 +62,11 @@
         };
       };
 
+      agenix-rekey = inputs.agenix-rekey.configure {
+        userFlake = inputs.self;
+        nodes = inputs.self.nixosConfigurations;
+      };
+
       checks =
         builtins.mapAttrs
         (system: deploy-lib: deploy-lib.deployChecks inputs.self.deploy)

modules/nixos/auxolotl/security/secrets/default.nix

@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+{ config, lib, pkgs, inputs, ... }:
+
+{
+  age.rekey = {
+    masterIdentities = [
+      "${inputs.self}/secrets/keys/minion/collabora-yubikey.pub"
+      "${inputs.self}/secrets/keys/minion/tiny-yubikey.pub"
+      "${inputs.self}/secrets/keys/minion/iyubikey.pub"
+    ];
+    storageMode = "local";
+    generatedSecretsDir = "${inputs.self}/secrets/generated/${config.networking.hostName}";
+    localStorageDir = "${inputs.self}/secrets/rekeyed/${config.networking.hostName}";
+  };
+}

secrets/keys/minion/collabora-yubikey.pub

@@ -0,0 +1,7 @@
+#       Serial: 20652804, Slot: 1
+#         Name: MINION_COLLABORA_YUBIKEY
+#      Created: Sun, 21 Jul 2024 12:55:44 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qd38ggwk5h8y877qwx4kkt3jz89fd4483v843ps450z5fl2uwgc82x8tsz8
+AGE-PLUGIN-YUBIKEY-1QS3NKQVZC38R9FS6T2PNZ

secrets/keys/minion/collabora-yubikey.pub.license

@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+
+SPDX-License-Identifier: GPL-3.0-only

secrets/keys/minion/iyubikey.pub

@@ -0,0 +1,7 @@
+#       Serial: 24039462, Slot: 1
+#         Name: MINION_iYUBIKEY
+#      Created: Sun, 21 Jul 2024 12:57:17 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qfczekkv6thu32q5fv272pmzca86rqf4pn4083h9qvfgytrmycquqz23c3d
+AGE-PLUGIN-YUBIKEY-1YMGXUQVZEHAJFXGQ57UKA

secrets/keys/minion/iyubikey.pub.license

@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+
+SPDX-License-Identifier: GPL-3.0-only

secrets/keys/minion/tiny-yubikey.pub

@@ -0,0 +1,7 @@
+#       Serial: 23751432, Slot: 1
+#         Name: MINION_TINY_YUBIKEY
+#      Created: Sun, 21 Jul 2024 12:49:01 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qf92p7gj5k8pavnzrzg644plfqcpkc8laj2l4avdfnem2re08tuqsu7ynnf
+AGE-PLUGIN-YUBIKEY-1PP4K5QVZR6DHL7G8RVVJ0

secrets/keys/minion/tiny-yubikey.pub.license

@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+
+SPDX-License-Identifier: GPL-3.0-only

shells/default/default.nix

@@ -6,10 +6,12 @@
   mkShell,
   reuse,
   deploy-rs,
+  agenix-rekey,
 }:
 mkShell {
   packages = [
     reuse # Used to provide licenses & copyright attribution
     deploy-rs # Used to deploy to our servers
+    agenix-rekey # Used to manage secrets
   ];
 }

systems/x86_64-linux/baxter/default.nix

@@ -7,12 +7,15 @@
 {
   pkgs,
   modulesPath,
+  config,
   ...
 }: {
   imports = [
     (modulesPath + "/virtualisation/digital-ocean-config.nix")
   ];
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM4rfWCoqby2qIcq/KVEWCKZVvIxr6h4GxJcsCQYffj+";
+
   boot.loader.grub.enable = true;
 
   virtualisation.digitalOcean.rebuildFromUserData = false;