feat: Add agenix-rekey

Agenix-rekey is a project which uses rage to encrypt secrets for hosts
where they're needed. We'll need it for a future commit with buildbot
This commit is contained in:
Skyler Grey 2024-07-02 22:46:30 +00:00 committed by Skyler Grey
parent 5104c5e8ca
commit 919b3c4e73
12 changed files with 97 additions and 12 deletions

View file

@ -1,10 +0,0 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: Auxolotl Infrastructure
Upstream-Contact: Auxolotl Infrastructure Committee <infrastructure@auxolotl.org>
Source: https://auxolotl.org
# Sample paragraph, commented out:
#
# Files: src/*
# Copyright: $YEAR $NAME <$CONTACT>
# License: ...

24
REUSE.toml Normal file
View file

@ -0,0 +1,24 @@
# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
#
# SPDX-License-Identifier: CC0-1.0
version = 1
SPDX-PackageName = "Auxolotl Infrastructure"
SPDX-PackageSupplier = "Auxolotl Infrastructure Committee <infrastructure@auxolotl.org>"
SPDX-PackageDownloadLocation = "https://auxolotl.org"
[[annotations]]
path = "secrets/generated/**"
SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
SPDX-License-Identifier = "CC0-1.0"
[[annotations]]
path = "secrets/rekeyed/**"
SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
SPDX-License-Identifier = "CC0-1.0"
[[annotations]]
path = "**/*.age"
SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
SPDX-License-Identifier = "CC0-1.0"

View file

@ -14,6 +14,13 @@
inputs.nixpkgs.follows = "nixpkgs";
};
agenix.url = "github:ryantm/agenix";
agenix-rekey = {
url = "github:oddlama/agenix-rekey";
inputs.nixpkgs.follows = "nixpkgs";
};
auxolotl-website = {
url = "git+https://git.auxolotl.org/auxolotl/website";
inputs.nixpkgs.follows = "nixpkgs";
@ -37,8 +44,14 @@
};
in
lib.mkFlake {
overlays = with inputs; [
auxolotl-website.overlays.default
overlays = [
inputs.auxolotl-website.overlays.default
inputs.agenix-rekey.overlays.default
];
systems.modules.nixos = [
inputs.agenix.nixosModules.default
inputs.agenix-rekey.nixosModules.default
];
deploy = lib.mkDeploy {
@ -49,6 +62,11 @@
};
};
agenix-rekey = inputs.agenix-rekey.configure {
userFlake = inputs.self;
nodes = inputs.self.nixosConfigurations;
};
checks =
builtins.mapAttrs
(system: deploy-lib: deploy-lib.deployChecks inputs.self.deploy)

View file

@ -0,0 +1,18 @@
# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
#
# SPDX-License-Identifier: GPL-3.0-only
{ config, lib, pkgs, inputs, ... }:
{
age.rekey = {
masterIdentities = [
"${inputs.self}/secrets/keys/minion/collabora-yubikey.pub"
"${inputs.self}/secrets/keys/minion/tiny-yubikey.pub"
"${inputs.self}/secrets/keys/minion/iyubikey.pub"
];
storageMode = "local";
generatedSecretsDir = "${inputs.self}/secrets/generated/${config.networking.hostName}";
localStorageDir = "${inputs.self}/secrets/rekeyed/${config.networking.hostName}";
};
}

View file

@ -0,0 +1,7 @@
# Serial: 20652804, Slot: 1
# Name: MINION_COLLABORA_YUBIKEY
# Created: Sun, 21 Jul 2024 12:55:44 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Always (A physical touch is required for every decryption)
# Recipient: age1yubikey1qd38ggwk5h8y877qwx4kkt3jz89fd4483v843ps450z5fl2uwgc82x8tsz8
AGE-PLUGIN-YUBIKEY-1QS3NKQVZC38R9FS6T2PNZ

View file

@ -0,0 +1,3 @@
SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
SPDX-License-Identifier: GPL-3.0-only

View file

@ -0,0 +1,7 @@
# Serial: 24039462, Slot: 1
# Name: MINION_iYUBIKEY
# Created: Sun, 21 Jul 2024 12:57:17 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Always (A physical touch is required for every decryption)
# Recipient: age1yubikey1qfczekkv6thu32q5fv272pmzca86rqf4pn4083h9qvfgytrmycquqz23c3d
AGE-PLUGIN-YUBIKEY-1YMGXUQVZEHAJFXGQ57UKA

View file

@ -0,0 +1,3 @@
SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
SPDX-License-Identifier: GPL-3.0-only

View file

@ -0,0 +1,7 @@
# Serial: 23751432, Slot: 1
# Name: MINION_TINY_YUBIKEY
# Created: Sun, 21 Jul 2024 12:49:01 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Always (A physical touch is required for every decryption)
# Recipient: age1yubikey1qf92p7gj5k8pavnzrzg644plfqcpkc8laj2l4avdfnem2re08tuqsu7ynnf
AGE-PLUGIN-YUBIKEY-1PP4K5QVZR6DHL7G8RVVJ0

View file

@ -0,0 +1,3 @@
SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
SPDX-License-Identifier: GPL-3.0-only

View file

@ -6,10 +6,12 @@
mkShell,
reuse,
deploy-rs,
agenix-rekey,
}:
mkShell {
packages = [
reuse # Used to provide licenses & copyright attribution
deploy-rs # Used to deploy to our servers
agenix-rekey # Used to manage secrets
];
}

View file

@ -7,12 +7,15 @@
{
pkgs,
modulesPath,
config,
...
}: {
imports = [
(modulesPath + "/virtualisation/digital-ocean-config.nix")
];
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM4rfWCoqby2qIcq/KVEWCKZVvIxr6h4GxJcsCQYffj+";
boot.loader.grub.enable = true;
virtualisation.digitalOcean.rebuildFromUserData = false;