Replaced agenix based secrets for SOPS

2025-05-15 20:10:20 +02:00 · 2025-05-15 20:10:20 +02:00 · a1ce2f94bb
commit a1ce2f94bb
parent 76d09952fc
14 changed files with 41 additions and 347 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,5 @@
 README.md~
 .DS_Store
 result
 dump.txt
 *~
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,8 @@
 keys:
 - &admin_olaf age1jfmngygcas0urav66tch0v4583d07smf3vnww87xpcngcklaycas4kzjlp
 creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - age:
      - *admin_olaf
--- a/apps/aarch64-darwin/check-keys
+++ b/apps/aarch64-darwin/check-keys
@ -1,33 +0,0 @@
 #!/usr/bin/env bash
 set -e
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 NC='\033[0m'
 username=${USER}
 export SSH_DIR=/Users/${username}/.ssh
 lint_keys() {
  if [[ -f "${SSH_DIR}/id_ed25519" && -f "${SSH_DIR}/id_ed25519.pub" && -f "${SSH_DIR}/id_ed25519_agenix" && -f "${SSH_DIR}/id_ed25519_agenix.pub" ]]; then
    echo -e "${GREEN}All SSH keys are present.${NC}"
  else
    echo -e "${RED}Some SSH keys are missing.${NC}"
    if [[ ! -f "${SSH_DIR}/id_ed25519" ]]; then
      echo -e "${RED}Missing: id_ed25519${NC}"
    fi
    if [[ ! -f "${SSH_DIR}/id_ed25519.pub" ]]; then
      echo -e "${RED}Missing: id_ed25519.pub${NC}"
    fi
    if [[ ! -f "${SSH_DIR}/id_ed25519_agenix" ]]; then
      echo -e "${RED}Missing: id_ed25519_agenix${NC}"
    fi
    if [[ ! -f "${SSH_DIR}/id_ed25519_agenix.pub" ]]; then
      echo -e "${RED}Missing: id_ed25519_agenix.pub${NC}"
    fi
    echo -e "${GREEN}Run the createKeys command to generate the missing keys.${NC}"
    exit 1
  fi
 }
 lint_keys
--- a/apps/aarch64-darwin/copy-keys
+++ b/apps/aarch64-darwin/copy-keys
@ -1,68 +0,0 @@
 #!/usr/bin/env bash
 set -e
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 NC='\033[0m'
 username=${USER}
 export SSH_DIR=/Users/${username}/.ssh
 handle_no_usb() {
  echo -e ${RED}No USB drive found or mounted.${NC}"
  echo -e ${GREEN}If you have not yet set up your keys, run the script to generate new SSH keys.${NC}"
  exit 1
 }
 mount_usb() {
  MOUNT_PATH=""
  for dev in $(diskutil list | grep -o 'disk[0-9]'); do
    MOUNT_PATH="$(diskutil info /dev/${dev} | grep \"Mount Point\" | awk -F: '{print $2}' | xargs)"
    if [ -n "${MOUNT_PATH}" ]; then
      echo -e "${GREEN}USB drive found at ${MOUNT_PATH}.${NC}"
      break
    fi
  done
  if [ -z "${MOUNT_PATH}" ]; then
    echo -e "${RED}No USB drive found.${NC}"
  fi
 }
 copy_keys() {
  if [ -n "${MOUNT_PATH}" ]; then
    cp "${MOUNT_PATH}/id_ed25519_agenix.pub" ${SSH_DIR}
    cp "${MOUNT_PATH}/id_ed25519_agenix" ${SSH_DIR}
    chmod 600 ${SSH_DIR}/id_ed25519_{agenix,agenix.pub}
  else
    echo -e "${RED}No USB drive found. Aborting.${NC}"
    exit 1
  fi
 }
 setup_ssh_directory() {
  mkdir -p ${SSH_DIR}
 }
 set_keys() {
  cp ${MOUNT_PATH}/id_ed25519_github.pub ${SSH_DIR}/id_ed25519.pub
  cp ${MOUNT_PATH}/id_ed25519_github ${SSH_DIR}/id_ed25519
  chmod 600 ${SSH_DIR}/id_ed25519
  chmod 644 ${SSH_DIR}/id_ed25519.pub
 }
 change_ownership() {
  chown ${username}:staff ${SSH_DIR}/id_ed25519{,.pub}
  chown ${username}:staff ${SSH_DIR}/id_ed25519_{agenix,agenix.pub}
 }
 setup_ssh_directory
 mount_usb
 if [ -z "${MOUNT_PATH}" ]; then
  handle_no_usb
 else
  copy_keys
  set_keys
  change_ownership
 fi
--- a/apps/aarch64-darwin/create-keys
+++ b/apps/aarch64-darwin/create-keys
@ -1,46 +0,0 @@
 #!/usr/bin/env bash
 set -e
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 NC='\033[0m'
 username=${USER}
 export SSH_DIR=/Users/${username}/.ssh
 setup_ssh_directory() {
  mkdir -p ${SSH_DIR}
 }
 prompt_for_key_generation() {
  local key_name=$1
  if [[ -f "${SSH_DIR}/${key_name}" ]]; then
    echo -e "${RED}Existing SSH key found for ${key_name}.${NC}"
    cat "${SSH_DIR}/${key_name}.pub"
    read -p "Do you want to replace it? (y/n) " -n 1 -r
    echo
    if [[ $REPLY =~ ^[Yy]$ ]]; then
      return 0 # Indicate key should be replaced
    else
      return 1 # Indicate key should be kept
    fi
  fi
  return 0 # Indicate no key exists, so it should be created
 }
 generate_key() {
  local key_name=$1
  if prompt_for_key_generation "$key_name"; then
    ssh-keygen -t ed25519 -f "${SSH_DIR}/${key_name}" -N ""
    chown ${username}:staff "${SSH_DIR}/${key_name}"{,.pub}
  else
    echo -e "${GREEN}Kept existing ${key_name}.${NC}"
  fi
 }
 setup_ssh_directory
 generate_key "id_ed25519"
 generate_key "id_ed25519_agenix"
 echo -e "${GREEN}SSH key setup complete.${NC}"
 echo -e "${GREEN}Remember to add the necessary keys to Github or other services as required.${NC}"
--- a/apps/x86_64-darwin/check-keys
+++ b/apps/x86_64-darwin/check-keys
@ -1,33 +0,0 @@
 #!/usr/bin/env bash
 set -e
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 NC='\033[0m'
 username=${USER}
 export SSH_DIR=/Users/${username}/.ssh
 lint_keys() {
  if [[ -f "${SSH_DIR}/id_ed25519" && -f "${SSH_DIR}/id_ed25519.pub" && -f "${SSH_DIR}/id_ed25519_agenix" && -f "${SSH_DIR}/id_ed25519_agenix.pub" ]]; then
    echo -e "${GREEN}All SSH keys are present.${NC}"
  else
    echo -e "${RED}Some SSH keys are missing.${NC}"
    if [[ ! -f "${SSH_DIR}/id_ed25519" ]]; then
      echo -e "${RED}Missing: id_ed25519${NC}"
    fi
    if [[ ! -f "${SSH_DIR}/id_ed25519.pub" ]]; then
      echo -e "${RED}Missing: id_ed25519.pub${NC}"
    fi
    if [[ ! -f "${SSH_DIR}/id_ed25519_agenix" ]]; then
      echo -e "${RED}Missing: id_ed25519_agenix${NC}"
    fi
    if [[ ! -f "${SSH_DIR}/id_ed25519_agenix.pub" ]]; then
      echo -e "${RED}Missing: id_ed25519_agenix.pub${NC}"
    fi
    echo -e "${GREEN}Run the createKeys command to generate the missing keys.${NC}"
    exit 1
  fi
 }
 lint_keys
--- a/apps/x86_64-darwin/copy-keys
+++ b/apps/x86_64-darwin/copy-keys
@ -1,68 +0,0 @@
 #!/usr/bin/env bash
 set -e
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 NC='\033[0m'
 username=${USER}
 export SSH_DIR=/Users/${username}/.ssh
 handle_no_usb() {
  echo -e ${RED}No USB drive found or mounted.${NC}"
  echo -e ${GREEN}If you have not yet set up your keys, run the script to generate new SSH keys.${NC}"
  exit 1
 }
 mount_usb() {
  MOUNT_PATH=""
  for dev in $(diskutil list | grep -o 'disk[0-9]'); do
    MOUNT_PATH="$(diskutil info /dev/${dev} | grep \"Mount Point\" | awk -F: '{print $2}' | xargs)"
    if [ -n "${MOUNT_PATH}" ]; then
      echo -e "${GREEN}USB drive found at ${MOUNT_PATH}.${NC}"
      break
    fi
  done
  if [ -z "${MOUNT_PATH}" ]; then
    echo -e "${RED}No USB drive found.${NC}"
  fi
 }
 copy_keys() {
  if [ -n "${MOUNT_PATH}" ]; then
    cp "${MOUNT_PATH}/id_ed25519_agenix.pub" ${SSH_DIR}
    cp "${MOUNT_PATH}/id_ed25519_agenix" ${SSH_DIR}
    chmod 600 ${SSH_DIR}/id_ed25519_{agenix,agenix.pub}
  else
    echo -e "${RED}No USB drive found. Aborting.${NC}"
    exit 1
  fi
 }
 setup_ssh_directory() {
  mkdir -p ${SSH_DIR}
 }
 set_keys() {
  cp ${MOUNT_PATH}/id_ed25519_github.pub ${SSH_DIR}/id_ed25519.pub
  cp ${MOUNT_PATH}/id_ed25519_github ${SSH_DIR}/id_ed25519
  chmod 600 ${SSH_DIR}/id_ed25519
  chmod 644 ${SSH_DIR}/id_ed25519.pub
 }
 change_ownership() {
  chown ${username}:staff ${SSH_DIR}/id_ed25519{,.pub}
  chown ${username}:staff ${SSH_DIR}/id_ed25519_{agenix,agenix.pub}
 }
 setup_ssh_directory
 mount_usb
 if [ -z "${MOUNT_PATH}" ]; then
  handle_no_usb
 else
  copy_keys
  set_keys
  change_ownership
 fi
--- a/apps/x86_64-darwin/create-keys
+++ b/apps/x86_64-darwin/create-keys
@ -1,46 +0,0 @@
 #!/usr/bin/env bash
 set -e
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 NC='\033[0m'
 username=${USER}
 export SSH_DIR=/Users/${username}/.ssh
 setup_ssh_directory() {
  mkdir -p ${SSH_DIR}
 }
 prompt_for_key_generation() {
  local key_name=$1
  if [[ -f "${SSH_DIR}/${key_name}" ]]; then
    echo -e "${RED}Existing SSH key found for ${key_name}.${NC}"
    cat "${SSH_DIR}/${key_name}.pub"
    read -p "Do you want to replace it? (y/n) " -n 1 -r
    echo
    if [[ $REPLY =~ ^[Yy]$ ]]; then
      return 0 # Indicate key should be replaced
    else
      return 1 # Indicate key should be kept
    fi
  fi
  return 0 # Indicate no key exists, so it should be created
 }
 generate_key() {
  local key_name=$1
  if prompt_for_key_generation "$key_name"; then
    ssh-keygen -t ed25519 -f "${SSH_DIR}/${key_name}" -N ""
    chown ${username}:staff "${SSH_DIR}/${key_name}"{,.pub}
  else
    echo -e "${GREEN}Kept existing ${key_name}.${NC}"
  fi
 }
 setup_ssh_directory
 generate_key "id_ed25519"
 generate_key "id_ed25519_agenix"
 echo -e "${GREEN}SSH key setup complete.${NC}"
 echo -e "${GREEN}Remember to add the necessary keys to Github or other services as required.${NC}"
--- a/flake.lock
+++ b/flake.lock
@ -396,7 +396,8 @@
        "nix-homebrew": "nix-homebrew",
        "nixd": "nixd",
        "nixpkgs": "nixpkgs_6",
-        "secrets": "secrets"
+        "secrets": "secrets",
        "sops-nix": "sops-nix"
      }
    },
    "secrets": {
@ -411,6 +412,26 @@
      },
      "parent": []
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1746485181,
        "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "e93ee1d900ad264d65e9701a5c6f895683433386",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -4,9 +4,6 @@
    nixpkgs = {
      url = "github:nixos/nixpkgs/nixos-unstable";
    };
    agenix = {
      url = "github:ryantm/agenix";
    };
    home-manager = {
      url = "github:nix-community/home-manager";
    };
@ -40,6 +37,10 @@
      url = "git@git.kolkman.org:olaf/nix-config-secrets.git";
      flake = false;
    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs =
    {
@ -52,9 +53,9 @@
      home-manager,
      nixpkgs,
      disko,
      agenix,
      secrets,
      nixd,
      sops-nix,
    }@inputs:
    let
      user = "olaf";
@ -79,8 +80,6 @@
              nativeBuildInputs = with pkgs; [
                bashInteractive
                git
                age
                age-plugin-yubikey
              ];
              shellHook = with pkgs; ''
                export EDITOR=vim
@ -132,6 +131,7 @@
          inherit system;
          specialArgs = inputs;
          modules = [
            #    sops-nix.nixosModules.sops
            home-manager.darwinModules.home-manager
            nix-homebrew.darwinModules.nix-homebrew
            {
@ -158,6 +158,7 @@
          inherit system;
          specialArgs = inputs;
          modules = [
            sops-nix.nixosModules.sops
            disko.nixosModules.disko
            home-manager.nixosModules.home-manager
            {
--- a/hosts/darwin/default.nix
+++ b/hosts/darwin/default.nix
@ -1,5 +1,4 @@
 {
  agenix,
  config,
  pkgs,
  ...
@ -22,10 +21,9 @@ in
  };
  imports = [
    ../../modules/darwin/secrets.nix
    ../../modules/darwin/home-manager.nix
    ../../modules/shared
-    agenix.darwinModules.default
+
  ];
  # Setup user, packages, programs
@ -67,7 +65,6 @@ in
    with pkgs;
    [
      emacs-unstable
      agenix.packages."${pkgs.system}".default
    ]
    ++ (import ../../modules/shared/packages.nix { inherit pkgs; })
--- a/hosts/nixos/default.nix
+++ b/hosts/nixos/default.nix
@ -2,7 +2,6 @@
  config,
  inputs,
  pkgs,
  agenix,
  ...
 }:
@ -12,10 +11,8 @@ let
 in
 {
  imports = [
    ../../modules/nixos/secrets.nix
    ../../modules/nixos/disk-config.nix
    ../../modules/shared
    agenix.nixosModules.default
  ];
  # Use the systemd-boot EFI boot loader.
@ -337,7 +334,6 @@ in
  ];
  environment.systemPackages = with pkgs; [
    agenix.packages."${pkgs.system}".default # "x86_64-linux"
    gitAndTools.gitFull
    inetutils
  ];
--- a/modules/darwin/secrets.nix
+++ b/modules/darwin/secrets.nix
@ -1,37 +0,0 @@
 { config, pkgs, agenix, secrets, ... }:
 let user = "olaf"; in
 {
  age.identityPaths = [
    "/Users/${user}/.ssh/id_ed25519"
  ];
  # Your secrets go here
  #
  # Note: the installWithSecrets command you ran to boostrap the machine actually copies over
  #       a Github key pair. However, if you want to store the keypair in your nix-secrets repo
  #       instead, you can reference the age files and specify the symlink path here. Then add your
  #       public key in shared/files.nix.
  #
  #       If you change the key name, you'll need to update the SSH configuration in shared/home-manager.nix
  #       so Github reads it correctly.
  #
  # age.secrets."github-ssh-key" = {
  #   symlink = true;
  #   path = "/Users/${user}/.ssh/id_github";
  #   file =  "${secrets}/github-ssh-key.age";
  #   mode = "600";
  #   owner = "${user}";
  #   group = "staff";
  # };
  # age.secrets."github-signing-key" = {
  #   symlink = false;
  #   path = "/Users/${user}/.ssh/pgp_github.key";
  #   file =  "${secrets}/github-signing-key.age";
  #   mode = "600";
  #   owner = "${user}";
  # };
 }
--- a/modules/shared/packages.nix
+++ b/modules/shared/packages.nix
@ -26,7 +26,7 @@ with pkgs;
  # Encryption and security tools
  age
-  age-plugin-yubikey
+  sops
  gnupg
  libfido2