From 919b3c4e73a7574de619dd3b40524f820ab70644 Mon Sep 17 00:00:00 2001
From: Skyler Grey <minion@clicks.codes>
Date: Tue, 2 Jul 2024 22:46:30 +0000
Subject: [PATCH] feat: Add agenix-rekey

Agenix-rekey is a project which uses rage to encrypt secrets for hosts
where they're needed. We'll need it for a future commit with buildbot
---
 .reuse/dep5                                   | 10 --------
 REUSE.toml                                    | 24 +++++++++++++++++++
 flake.nix                                     | 22 +++++++++++++++--
 .../auxolotl/security/secrets/default.nix     | 18 ++++++++++++++
 secrets/keys/minion/collabora-yubikey.pub     |  7 ++++++
 .../keys/minion/collabora-yubikey.pub.license |  3 +++
 secrets/keys/minion/iyubikey.pub              |  7 ++++++
 secrets/keys/minion/iyubikey.pub.license      |  3 +++
 secrets/keys/minion/tiny-yubikey.pub          |  7 ++++++
 secrets/keys/minion/tiny-yubikey.pub.license  |  3 +++
 shells/default/default.nix                    |  2 ++
 systems/x86_64-linux/baxter/default.nix       |  3 +++
 12 files changed, 97 insertions(+), 12 deletions(-)
 delete mode 100644 .reuse/dep5
 create mode 100644 REUSE.toml
 create mode 100644 modules/nixos/auxolotl/security/secrets/default.nix
 create mode 100644 secrets/keys/minion/collabora-yubikey.pub
 create mode 100644 secrets/keys/minion/collabora-yubikey.pub.license
 create mode 100644 secrets/keys/minion/iyubikey.pub
 create mode 100644 secrets/keys/minion/iyubikey.pub.license
 create mode 100644 secrets/keys/minion/tiny-yubikey.pub
 create mode 100644 secrets/keys/minion/tiny-yubikey.pub.license

diff --git a/.reuse/dep5 b/.reuse/dep5
deleted file mode 100644
index e9a0867..0000000
--- a/.reuse/dep5
+++ /dev/null
@@ -1,10 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: Auxolotl Infrastructure
-Upstream-Contact: Auxolotl Infrastructure Committee <infrastructure@auxolotl.org>
-Source: https://auxolotl.org
-
-# Sample paragraph, commented out:
-#
-# Files: src/*
-# Copyright: $YEAR $NAME <$CONTACT>
-# License: ...
diff --git a/REUSE.toml b/REUSE.toml
new file mode 100644
index 0000000..62db0fb
--- /dev/null
+++ b/REUSE.toml
@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+#
+# SPDX-License-Identifier: CC0-1.0
+
+version = 1
+
+SPDX-PackageName = "Auxolotl Infrastructure"
+SPDX-PackageSupplier = "Auxolotl Infrastructure Committee <infrastructure@auxolotl.org>"
+SPDX-PackageDownloadLocation = "https://auxolotl.org"
+
+[[annotations]]
+path = "secrets/generated/**"
+SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
+SPDX-License-Identifier = "CC0-1.0"
+
+[[annotations]]
+path = "secrets/rekeyed/**"
+SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
+SPDX-License-Identifier = "CC0-1.0"
+
+[[annotations]]
+path = "**/*.age"
+SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
+SPDX-License-Identifier = "CC0-1.0"
diff --git a/flake.nix b/flake.nix
index 2e69ce7..4e23335 100644
--- a/flake.nix
+++ b/flake.nix
@@ -14,6 +14,13 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    agenix.url = "github:ryantm/agenix";
+
+    agenix-rekey = {
+      url = "github:oddlama/agenix-rekey";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     auxolotl-website = {
       url = "git+https://git.auxolotl.org/auxolotl/website";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -37,8 +44,14 @@
     };
   in
     lib.mkFlake {
-      overlays = with inputs; [
-        auxolotl-website.overlays.default
+      overlays = [
+        inputs.auxolotl-website.overlays.default
+        inputs.agenix-rekey.overlays.default
+      ];
+
+      systems.modules.nixos = [
+        inputs.agenix.nixosModules.default
+        inputs.agenix-rekey.nixosModules.default
       ];
 
       deploy = lib.mkDeploy {
@@ -49,6 +62,11 @@
         };
       };
 
+      agenix-rekey = inputs.agenix-rekey.configure {
+        userFlake = inputs.self;
+        nodes = inputs.self.nixosConfigurations;
+      };
+
       checks =
         builtins.mapAttrs
         (system: deploy-lib: deploy-lib.deployChecks inputs.self.deploy)
diff --git a/modules/nixos/auxolotl/security/secrets/default.nix b/modules/nixos/auxolotl/security/secrets/default.nix
new file mode 100644
index 0000000..ecea233
--- /dev/null
+++ b/modules/nixos/auxolotl/security/secrets/default.nix
@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+{ config, lib, pkgs, inputs, ... }:
+
+{
+  age.rekey = {
+    masterIdentities = [
+      "${inputs.self}/secrets/keys/minion/collabora-yubikey.pub"
+      "${inputs.self}/secrets/keys/minion/tiny-yubikey.pub"
+      "${inputs.self}/secrets/keys/minion/iyubikey.pub"
+    ];
+    storageMode = "local";
+    generatedSecretsDir = "${inputs.self}/secrets/generated/${config.networking.hostName}";
+    localStorageDir = "${inputs.self}/secrets/rekeyed/${config.networking.hostName}";
+  };
+}
diff --git a/secrets/keys/minion/collabora-yubikey.pub b/secrets/keys/minion/collabora-yubikey.pub
new file mode 100644
index 0000000..a3061c2
--- /dev/null
+++ b/secrets/keys/minion/collabora-yubikey.pub
@@ -0,0 +1,7 @@
+#       Serial: 20652804, Slot: 1
+#         Name: MINION_COLLABORA_YUBIKEY
+#      Created: Sun, 21 Jul 2024 12:55:44 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qd38ggwk5h8y877qwx4kkt3jz89fd4483v843ps450z5fl2uwgc82x8tsz8
+AGE-PLUGIN-YUBIKEY-1QS3NKQVZC38R9FS6T2PNZ
diff --git a/secrets/keys/minion/collabora-yubikey.pub.license b/secrets/keys/minion/collabora-yubikey.pub.license
new file mode 100644
index 0000000..7f85994
--- /dev/null
+++ b/secrets/keys/minion/collabora-yubikey.pub.license
@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+
+SPDX-License-Identifier: GPL-3.0-only
diff --git a/secrets/keys/minion/iyubikey.pub b/secrets/keys/minion/iyubikey.pub
new file mode 100644
index 0000000..ec49feb
--- /dev/null
+++ b/secrets/keys/minion/iyubikey.pub
@@ -0,0 +1,7 @@
+#       Serial: 24039462, Slot: 1
+#         Name: MINION_iYUBIKEY
+#      Created: Sun, 21 Jul 2024 12:57:17 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qfczekkv6thu32q5fv272pmzca86rqf4pn4083h9qvfgytrmycquqz23c3d
+AGE-PLUGIN-YUBIKEY-1YMGXUQVZEHAJFXGQ57UKA
diff --git a/secrets/keys/minion/iyubikey.pub.license b/secrets/keys/minion/iyubikey.pub.license
new file mode 100644
index 0000000..7f85994
--- /dev/null
+++ b/secrets/keys/minion/iyubikey.pub.license
@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+
+SPDX-License-Identifier: GPL-3.0-only
diff --git a/secrets/keys/minion/tiny-yubikey.pub b/secrets/keys/minion/tiny-yubikey.pub
new file mode 100644
index 0000000..0838d68
--- /dev/null
+++ b/secrets/keys/minion/tiny-yubikey.pub
@@ -0,0 +1,7 @@
+#       Serial: 23751432, Slot: 1
+#         Name: MINION_TINY_YUBIKEY
+#      Created: Sun, 21 Jul 2024 12:49:01 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qf92p7gj5k8pavnzrzg644plfqcpkc8laj2l4avdfnem2re08tuqsu7ynnf
+AGE-PLUGIN-YUBIKEY-1PP4K5QVZR6DHL7G8RVVJ0
diff --git a/secrets/keys/minion/tiny-yubikey.pub.license b/secrets/keys/minion/tiny-yubikey.pub.license
new file mode 100644
index 0000000..7f85994
--- /dev/null
+++ b/secrets/keys/minion/tiny-yubikey.pub.license
@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+
+SPDX-License-Identifier: GPL-3.0-only
diff --git a/shells/default/default.nix b/shells/default/default.nix
index 8223b7f..d773c20 100644
--- a/shells/default/default.nix
+++ b/shells/default/default.nix
@@ -6,10 +6,12 @@
   mkShell,
   reuse,
   deploy-rs,
+  agenix-rekey,
 }:
 mkShell {
   packages = [
     reuse # Used to provide licenses & copyright attribution
     deploy-rs # Used to deploy to our servers
+    agenix-rekey # Used to manage secrets
   ];
 }
diff --git a/systems/x86_64-linux/baxter/default.nix b/systems/x86_64-linux/baxter/default.nix
index 25c5f92..3841c2a 100644
--- a/systems/x86_64-linux/baxter/default.nix
+++ b/systems/x86_64-linux/baxter/default.nix
@@ -7,12 +7,15 @@
 {
   pkgs,
   modulesPath,
+  config,
   ...
 }: {
   imports = [
     (modulesPath + "/virtualisation/digital-ocean-config.nix")
   ];
 
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM4rfWCoqby2qIcq/KVEWCKZVvIxr6h4GxJcsCQYffj+";
+
   boot.loader.grub.enable = true;
 
   virtualisation.digitalOcean.rebuildFromUserData = false;