feat: Add agenix-rekey
Agenix-rekey is a project which uses rage to encrypt secrets for hosts where they're needed. We'll need it for a future commit with buildbot
This commit is contained in:
parent
5104c5e8ca
commit
919b3c4e73
10
.reuse/dep5
10
.reuse/dep5
|
@ -1,10 +0,0 @@
|
||||||
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
|
|
||||||
Upstream-Name: Auxolotl Infrastructure
|
|
||||||
Upstream-Contact: Auxolotl Infrastructure Committee <infrastructure@auxolotl.org>
|
|
||||||
Source: https://auxolotl.org
|
|
||||||
|
|
||||||
# Sample paragraph, commented out:
|
|
||||||
#
|
|
||||||
# Files: src/*
|
|
||||||
# Copyright: $YEAR $NAME <$CONTACT>
|
|
||||||
# License: ...
|
|
24
REUSE.toml
Normal file
24
REUSE.toml
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: CC0-1.0
|
||||||
|
|
||||||
|
version = 1
|
||||||
|
|
||||||
|
SPDX-PackageName = "Auxolotl Infrastructure"
|
||||||
|
SPDX-PackageSupplier = "Auxolotl Infrastructure Committee <infrastructure@auxolotl.org>"
|
||||||
|
SPDX-PackageDownloadLocation = "https://auxolotl.org"
|
||||||
|
|
||||||
|
[[annotations]]
|
||||||
|
path = "secrets/generated/**"
|
||||||
|
SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
|
||||||
|
SPDX-License-Identifier = "CC0-1.0"
|
||||||
|
|
||||||
|
[[annotations]]
|
||||||
|
path = "secrets/rekeyed/**"
|
||||||
|
SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
|
||||||
|
SPDX-License-Identifier = "CC0-1.0"
|
||||||
|
|
||||||
|
[[annotations]]
|
||||||
|
path = "**/*.age"
|
||||||
|
SPDX-FileCopyrightText = "2024 Auxolotl Infrastructure Contributors"
|
||||||
|
SPDX-License-Identifier = "CC0-1.0"
|
22
flake.nix
22
flake.nix
|
@ -14,6 +14,13 @@
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
agenix.url = "github:ryantm/agenix";
|
||||||
|
|
||||||
|
agenix-rekey = {
|
||||||
|
url = "github:oddlama/agenix-rekey";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
|
|
||||||
auxolotl-website = {
|
auxolotl-website = {
|
||||||
url = "git+https://git.auxolotl.org/auxolotl/website";
|
url = "git+https://git.auxolotl.org/auxolotl/website";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
@ -37,8 +44,14 @@
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
lib.mkFlake {
|
lib.mkFlake {
|
||||||
overlays = with inputs; [
|
overlays = [
|
||||||
auxolotl-website.overlays.default
|
inputs.auxolotl-website.overlays.default
|
||||||
|
inputs.agenix-rekey.overlays.default
|
||||||
|
];
|
||||||
|
|
||||||
|
systems.modules.nixos = [
|
||||||
|
inputs.agenix.nixosModules.default
|
||||||
|
inputs.agenix-rekey.nixosModules.default
|
||||||
];
|
];
|
||||||
|
|
||||||
deploy = lib.mkDeploy {
|
deploy = lib.mkDeploy {
|
||||||
|
@ -49,6 +62,11 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
agenix-rekey = inputs.agenix-rekey.configure {
|
||||||
|
userFlake = inputs.self;
|
||||||
|
nodes = inputs.self.nixosConfigurations;
|
||||||
|
};
|
||||||
|
|
||||||
checks =
|
checks =
|
||||||
builtins.mapAttrs
|
builtins.mapAttrs
|
||||||
(system: deploy-lib: deploy-lib.deployChecks inputs.self.deploy)
|
(system: deploy-lib: deploy-lib.deployChecks inputs.self.deploy)
|
||||||
|
|
18
modules/nixos/auxolotl/security/secrets/default.nix
Normal file
18
modules/nixos/auxolotl/security/secrets/default.nix
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: GPL-3.0-only
|
||||||
|
|
||||||
|
{ config, lib, pkgs, inputs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
age.rekey = {
|
||||||
|
masterIdentities = [
|
||||||
|
"${inputs.self}/secrets/keys/minion/collabora-yubikey.pub"
|
||||||
|
"${inputs.self}/secrets/keys/minion/tiny-yubikey.pub"
|
||||||
|
"${inputs.self}/secrets/keys/minion/iyubikey.pub"
|
||||||
|
];
|
||||||
|
storageMode = "local";
|
||||||
|
generatedSecretsDir = "${inputs.self}/secrets/generated/${config.networking.hostName}";
|
||||||
|
localStorageDir = "${inputs.self}/secrets/rekeyed/${config.networking.hostName}";
|
||||||
|
};
|
||||||
|
}
|
7
secrets/keys/minion/collabora-yubikey.pub
Normal file
7
secrets/keys/minion/collabora-yubikey.pub
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
# Serial: 20652804, Slot: 1
|
||||||
|
# Name: MINION_COLLABORA_YUBIKEY
|
||||||
|
# Created: Sun, 21 Jul 2024 12:55:44 +0000
|
||||||
|
# PIN policy: Once (A PIN is required once per session, if set)
|
||||||
|
# Touch policy: Always (A physical touch is required for every decryption)
|
||||||
|
# Recipient: age1yubikey1qd38ggwk5h8y877qwx4kkt3jz89fd4483v843ps450z5fl2uwgc82x8tsz8
|
||||||
|
AGE-PLUGIN-YUBIKEY-1QS3NKQVZC38R9FS6T2PNZ
|
3
secrets/keys/minion/collabora-yubikey.pub.license
Normal file
3
secrets/keys/minion/collabora-yubikey.pub.license
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
|
||||||
|
|
||||||
|
SPDX-License-Identifier: GPL-3.0-only
|
7
secrets/keys/minion/iyubikey.pub
Normal file
7
secrets/keys/minion/iyubikey.pub
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
# Serial: 24039462, Slot: 1
|
||||||
|
# Name: MINION_iYUBIKEY
|
||||||
|
# Created: Sun, 21 Jul 2024 12:57:17 +0000
|
||||||
|
# PIN policy: Once (A PIN is required once per session, if set)
|
||||||
|
# Touch policy: Always (A physical touch is required for every decryption)
|
||||||
|
# Recipient: age1yubikey1qfczekkv6thu32q5fv272pmzca86rqf4pn4083h9qvfgytrmycquqz23c3d
|
||||||
|
AGE-PLUGIN-YUBIKEY-1YMGXUQVZEHAJFXGQ57UKA
|
3
secrets/keys/minion/iyubikey.pub.license
Normal file
3
secrets/keys/minion/iyubikey.pub.license
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
|
||||||
|
|
||||||
|
SPDX-License-Identifier: GPL-3.0-only
|
7
secrets/keys/minion/tiny-yubikey.pub
Normal file
7
secrets/keys/minion/tiny-yubikey.pub
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
# Serial: 23751432, Slot: 1
|
||||||
|
# Name: MINION_TINY_YUBIKEY
|
||||||
|
# Created: Sun, 21 Jul 2024 12:49:01 +0000
|
||||||
|
# PIN policy: Once (A PIN is required once per session, if set)
|
||||||
|
# Touch policy: Always (A physical touch is required for every decryption)
|
||||||
|
# Recipient: age1yubikey1qf92p7gj5k8pavnzrzg644plfqcpkc8laj2l4avdfnem2re08tuqsu7ynnf
|
||||||
|
AGE-PLUGIN-YUBIKEY-1PP4K5QVZR6DHL7G8RVVJ0
|
3
secrets/keys/minion/tiny-yubikey.pub.license
Normal file
3
secrets/keys/minion/tiny-yubikey.pub.license
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
|
||||||
|
|
||||||
|
SPDX-License-Identifier: GPL-3.0-only
|
|
@ -6,10 +6,12 @@
|
||||||
mkShell,
|
mkShell,
|
||||||
reuse,
|
reuse,
|
||||||
deploy-rs,
|
deploy-rs,
|
||||||
|
agenix-rekey,
|
||||||
}:
|
}:
|
||||||
mkShell {
|
mkShell {
|
||||||
packages = [
|
packages = [
|
||||||
reuse # Used to provide licenses & copyright attribution
|
reuse # Used to provide licenses & copyright attribution
|
||||||
deploy-rs # Used to deploy to our servers
|
deploy-rs # Used to deploy to our servers
|
||||||
|
agenix-rekey # Used to manage secrets
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,12 +7,15 @@
|
||||||
{
|
{
|
||||||
pkgs,
|
pkgs,
|
||||||
modulesPath,
|
modulesPath,
|
||||||
|
config,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
(modulesPath + "/virtualisation/digital-ocean-config.nix")
|
(modulesPath + "/virtualisation/digital-ocean-config.nix")
|
||||||
];
|
];
|
||||||
|
|
||||||
|
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM4rfWCoqby2qIcq/KVEWCKZVvIxr6h4GxJcsCQYffj+";
|
||||||
|
|
||||||
boot.loader.grub.enable = true;
|
boot.loader.grub.enable = true;
|
||||||
|
|
||||||
virtualisation.digitalOcean.rebuildFromUserData = false;
|
virtualisation.digitalOcean.rebuildFromUserData = false;
|
||||||
|
|
Loading…
Reference in a new issue