feat: Add agenix-rekey
Agenix-rekey is a project which uses rage to encrypt secrets for hosts where they're needed. We'll need it for a future commit with buildbot
This commit is contained in:
parent
5104c5e8ca
commit
919b3c4e73
10
.reuse/dep5
10
.reuse/dep5
|
@ -1,10 +0,0 @@
|
|||
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
|
||||
Upstream-Name: Auxolotl Infrastructure
|
||||
Upstream-Contact: Auxolotl Infrastructure Committee <infrastructure@auxolotl.org>
|
||||
Source: https://auxolotl.org
|
||||
|
||||
# Sample paragraph, commented out:
|
||||
#
|
||||
# Files: src/*
|
||||
# Copyright: $YEAR $NAME <$CONTACT>
|
||||
# License: ...
|
24
REUSE.toml
Normal file
24
REUSE.toml
Normal file
|
@ -0,0 +1,24 @@
|
|||
# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
|
||||
#
|
||||
# SPDX-License-Identifier: CC0-1.0
|
||||
|
||||
version = 1
|
||||
|
||||
SPDX-PackageName = "Auxolotl Infrastructure"
|
||||
SPDX-PackageSupplier = "Auxolotl Infrastructure Committee <infrastructure@auxolotl.org>"
|
||||
SPDX-PackageDownloadLocation = "https://auxolotl.org"
|
||||
|
||||
[[annotations]]
|
||||
path = "secrets/generated/**"
|
||||
SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
|
||||
SPDX-License-Identifier = "CC0-1.0"
|
||||
|
||||
[[annotations]]
|
||||
path = "secrets/rekeyed/**"
|
||||
SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
|
||||
SPDX-License-Identifier = "CC0-1.0"
|
||||
|
||||
[[annotations]]
|
||||
path = "**/*.age"
|
||||
SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
|
||||
SPDX-License-Identifier = "CC0-1.0"
|
22
flake.nix
22
flake.nix
|
@ -14,6 +14,13 @@
|
|||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
agenix.url = "github:ryantm/agenix";
|
||||
|
||||
agenix-rekey = {
|
||||
url = "github:oddlama/agenix-rekey";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
auxolotl-website = {
|
||||
url = "git+https://git.auxolotl.org/auxolotl/website";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
@ -37,8 +44,14 @@
|
|||
};
|
||||
in
|
||||
lib.mkFlake {
|
||||
overlays = with inputs; [
|
||||
auxolotl-website.overlays.default
|
||||
overlays = [
|
||||
inputs.auxolotl-website.overlays.default
|
||||
inputs.agenix-rekey.overlays.default
|
||||
];
|
||||
|
||||
systems.modules.nixos = [
|
||||
inputs.agenix.nixosModules.default
|
||||
inputs.agenix-rekey.nixosModules.default
|
||||
];
|
||||
|
||||
deploy = lib.mkDeploy {
|
||||
|
@ -49,6 +62,11 @@
|
|||
};
|
||||
};
|
||||
|
||||
agenix-rekey = inputs.agenix-rekey.configure {
|
||||
userFlake = inputs.self;
|
||||
nodes = inputs.self.nixosConfigurations;
|
||||
};
|
||||
|
||||
checks =
|
||||
builtins.mapAttrs
|
||||
(system: deploy-lib: deploy-lib.deployChecks inputs.self.deploy)
|
||||
|
|
18
modules/nixos/auxolotl/security/secrets/default.nix
Normal file
18
modules/nixos/auxolotl/security/secrets/default.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
|
||||
#
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
|
||||
{ config, lib, pkgs, inputs, ... }:
|
||||
|
||||
{
|
||||
age.rekey = {
|
||||
masterIdentities = [
|
||||
"${inputs.self}/secrets/keys/minion/collabora-yubikey.pub"
|
||||
"${inputs.self}/secrets/keys/minion/tiny-yubikey.pub"
|
||||
"${inputs.self}/secrets/keys/minion/iyubikey.pub"
|
||||
];
|
||||
storageMode = "local";
|
||||
generatedSecretsDir = "${inputs.self}/secrets/generated/${config.networking.hostName}";
|
||||
localStorageDir = "${inputs.self}/secrets/rekeyed/${config.networking.hostName}";
|
||||
};
|
||||
}
|
7
secrets/keys/minion/collabora-yubikey.pub
Normal file
7
secrets/keys/minion/collabora-yubikey.pub
Normal file
|
@ -0,0 +1,7 @@
|
|||
# Serial: 20652804, Slot: 1
|
||||
# Name: MINION_COLLABORA_YUBIKEY
|
||||
# Created: Sun, 21 Jul 2024 12:55:44 +0000
|
||||
# PIN policy: Once (A PIN is required once per session, if set)
|
||||
# Touch policy: Always (A physical touch is required for every decryption)
|
||||
# Recipient: age1yubikey1qd38ggwk5h8y877qwx4kkt3jz89fd4483v843ps450z5fl2uwgc82x8tsz8
|
||||
AGE-PLUGIN-YUBIKEY-1QS3NKQVZC38R9FS6T2PNZ
|
3
secrets/keys/minion/collabora-yubikey.pub.license
Normal file
3
secrets/keys/minion/collabora-yubikey.pub.license
Normal file
|
@ -0,0 +1,3 @@
|
|||
SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
|
||||
|
||||
SPDX-License-Identifier: GPL-3.0-only
|
7
secrets/keys/minion/iyubikey.pub
Normal file
7
secrets/keys/minion/iyubikey.pub
Normal file
|
@ -0,0 +1,7 @@
|
|||
# Serial: 24039462, Slot: 1
|
||||
# Name: MINION_iYUBIKEY
|
||||
# Created: Sun, 21 Jul 2024 12:57:17 +0000
|
||||
# PIN policy: Once (A PIN is required once per session, if set)
|
||||
# Touch policy: Always (A physical touch is required for every decryption)
|
||||
# Recipient: age1yubikey1qfczekkv6thu32q5fv272pmzca86rqf4pn4083h9qvfgytrmycquqz23c3d
|
||||
AGE-PLUGIN-YUBIKEY-1YMGXUQVZEHAJFXGQ57UKA
|
3
secrets/keys/minion/iyubikey.pub.license
Normal file
3
secrets/keys/minion/iyubikey.pub.license
Normal file
|
@ -0,0 +1,3 @@
|
|||
SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
|
||||
|
||||
SPDX-License-Identifier: GPL-3.0-only
|
7
secrets/keys/minion/tiny-yubikey.pub
Normal file
7
secrets/keys/minion/tiny-yubikey.pub
Normal file
|
@ -0,0 +1,7 @@
|
|||
# Serial: 23751432, Slot: 1
|
||||
# Name: MINION_TINY_YUBIKEY
|
||||
# Created: Sun, 21 Jul 2024 12:49:01 +0000
|
||||
# PIN policy: Once (A PIN is required once per session, if set)
|
||||
# Touch policy: Always (A physical touch is required for every decryption)
|
||||
# Recipient: age1yubikey1qf92p7gj5k8pavnzrzg644plfqcpkc8laj2l4avdfnem2re08tuqsu7ynnf
|
||||
AGE-PLUGIN-YUBIKEY-1PP4K5QVZR6DHL7G8RVVJ0
|
3
secrets/keys/minion/tiny-yubikey.pub.license
Normal file
3
secrets/keys/minion/tiny-yubikey.pub.license
Normal file
|
@ -0,0 +1,3 @@
|
|||
SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
|
||||
|
||||
SPDX-License-Identifier: GPL-3.0-only
|
|
@ -6,10 +6,12 @@
|
|||
mkShell,
|
||||
reuse,
|
||||
deploy-rs,
|
||||
agenix-rekey,
|
||||
}:
|
||||
mkShell {
|
||||
packages = [
|
||||
reuse # Used to provide licenses & copyright attribution
|
||||
deploy-rs # Used to deploy to our servers
|
||||
agenix-rekey # Used to manage secrets
|
||||
];
|
||||
}
|
||||
|
|
|
@ -7,12 +7,15 @@
|
|||
{
|
||||
pkgs,
|
||||
modulesPath,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
(modulesPath + "/virtualisation/digital-ocean-config.nix")
|
||||
];
|
||||
|
||||
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM4rfWCoqby2qIcq/KVEWCKZVvIxr6h4GxJcsCQYffj+";
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
|
||||
virtualisation.digitalOcean.rebuildFromUserData = false;
|
||||
|
|
Loading…
Reference in a new issue