olaf/nixos-config_to_rule_them_all
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Replaced agenix based secrets for SOPS

Browse Source
This commit is contained in:
Olaf Kolkman
2025-05-15 20:10:20 +02:00
parent 76d09952fc
commit a1ce2f94bb
14 changed files with 41 additions and 347 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -1,3 +1,5 @@
README.md~
.DS_Store
result
dump.txt
*~

8
.sops.yaml Normal file
View File

@@ -0,0 +1,8 @@
keys:
- &admin_olaf age1jfmngygcas0urav66tch0v4583d07smf3vnww87xpcngcklaycas4kzjlp
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *admin_olaf

33
apps/aarch64-darwin/check-keys
View File

@@ -1,33 +0,0 @@
#!/usr/bin/env bash
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'
username=${USER}
export SSH_DIR=/Users/${username}/.ssh
lint_keys() {
if [[ -f "${SSH_DIR}/id_ed25519" && -f "${SSH_DIR}/id_ed25519.pub" && -f "${SSH_DIR}/id_ed25519_agenix" && -f "${SSH_DIR}/id_ed25519_agenix.pub" ]]; then
echo -e "${GREEN}All SSH keys are present.${NC}"
else
echo -e "${RED}Some SSH keys are missing.${NC}"
if [[ ! -f "${SSH_DIR}/id_ed25519" ]]; then
echo -e "${RED}Missing: id_ed25519${NC}"
fi
if [[ ! -f "${SSH_DIR}/id_ed25519.pub" ]]; then
echo -e "${RED}Missing: id_ed25519.pub${NC}"
fi
if [[ ! -f "${SSH_DIR}/id_ed25519_agenix" ]]; then
echo -e "${RED}Missing: id_ed25519_agenix${NC}"
fi
if [[ ! -f "${SSH_DIR}/id_ed25519_agenix.pub" ]]; then
echo -e "${RED}Missing: id_ed25519_agenix.pub${NC}"
fi
echo -e "${GREEN}Run the createKeys command to generate the missing keys.${NC}"
exit 1
fi
}
lint_keys

68
apps/aarch64-darwin/copy-keys
View File

@@ -1,68 +0,0 @@
#!/usr/bin/env bash
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'
username=${USER}
export SSH_DIR=/Users/${username}/.ssh
handle_no_usb() {
echo -e ${RED}No USB drive found or mounted.${NC}"
echo -e ${GREEN}If you have not yet set up your keys, run the script to generate new SSH keys.${NC}"
exit 1
}
mount_usb() {
MOUNT_PATH=""
for dev in $(diskutil list | grep -o 'disk[0-9]'); do
MOUNT_PATH="$(diskutil info /dev/${dev} | grep \"Mount Point\" | awk -F: '{print $2}' | xargs)"
if [ -n "${MOUNT_PATH}" ]; then
echo -e "${GREEN}USB drive found at ${MOUNT_PATH}.${NC}"
break
fi
done
if [ -z "${MOUNT_PATH}" ]; then
echo -e "${RED}No USB drive found.${NC}"
fi
}
copy_keys() {
if [ -n "${MOUNT_PATH}" ]; then
cp "${MOUNT_PATH}/id_ed25519_agenix.pub" ${SSH_DIR}
cp "${MOUNT_PATH}/id_ed25519_agenix" ${SSH_DIR}
chmod 600 ${SSH_DIR}/id_ed25519_{agenix,agenix.pub}
else
echo -e "${RED}No USB drive found. Aborting.${NC}"
exit 1
fi
}
setup_ssh_directory() {
mkdir -p ${SSH_DIR}
}
set_keys() {
cp ${MOUNT_PATH}/id_ed25519_github.pub ${SSH_DIR}/id_ed25519.pub
cp ${MOUNT_PATH}/id_ed25519_github ${SSH_DIR}/id_ed25519
chmod 600 ${SSH_DIR}/id_ed25519
chmod 644 ${SSH_DIR}/id_ed25519.pub
}
change_ownership() {
chown ${username}:staff ${SSH_DIR}/id_ed25519{,.pub}
chown ${username}:staff ${SSH_DIR}/id_ed25519_{agenix,agenix.pub}
}
setup_ssh_directory
mount_usb
if [ -z "${MOUNT_PATH}" ]; then
handle_no_usb
else
copy_keys
set_keys
change_ownership
fi

46
apps/aarch64-darwin/create-keys
View File

@@ -1,46 +0,0 @@
#!/usr/bin/env bash
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'
username=${USER}
export SSH_DIR=/Users/${username}/.ssh
setup_ssh_directory() {
mkdir -p ${SSH_DIR}
}
prompt_for_key_generation() {
local key_name=$1
if [[ -f "${SSH_DIR}/${key_name}" ]]; then
echo -e "${RED}Existing SSH key found for ${key_name}.${NC}"
cat "${SSH_DIR}/${key_name}.pub"
read -p "Do you want to replace it? (y/n) " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
return 0 # Indicate key should be replaced
else
return 1 # Indicate key should be kept
fi
fi
return 0 # Indicate no key exists, so it should be created
}
generate_key() {
local key_name=$1
if prompt_for_key_generation "$key_name"; then
ssh-keygen -t ed25519 -f "${SSH_DIR}/${key_name}" -N ""
chown ${username}:staff "${SSH_DIR}/${key_name}"{,.pub}
else
echo -e "${GREEN}Kept existing ${key_name}.${NC}"
fi
}
setup_ssh_directory
generate_key "id_ed25519"
generate_key "id_ed25519_agenix"
echo -e "${GREEN}SSH key setup complete.${NC}"
echo -e "${GREEN}Remember to add the necessary keys to Github or other services as required.${NC}"

33
apps/x86_64-darwin/check-keys
View File

@@ -1,33 +0,0 @@
#!/usr/bin/env bash
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'
username=${USER}
export SSH_DIR=/Users/${username}/.ssh
lint_keys() {
if [[ -f "${SSH_DIR}/id_ed25519" && -f "${SSH_DIR}/id_ed25519.pub" && -f "${SSH_DIR}/id_ed25519_agenix" && -f "${SSH_DIR}/id_ed25519_agenix.pub" ]]; then
echo -e "${GREEN}All SSH keys are present.${NC}"
else
echo -e "${RED}Some SSH keys are missing.${NC}"
if [[ ! -f "${SSH_DIR}/id_ed25519" ]]; then
echo -e "${RED}Missing: id_ed25519${NC}"
fi
if [[ ! -f "${SSH_DIR}/id_ed25519.pub" ]]; then
echo -e "${RED}Missing: id_ed25519.pub${NC}"
fi
if [[ ! -f "${SSH_DIR}/id_ed25519_agenix" ]]; then
echo -e "${RED}Missing: id_ed25519_agenix${NC}"
fi
if [[ ! -f "${SSH_DIR}/id_ed25519_agenix.pub" ]]; then
echo -e "${RED}Missing: id_ed25519_agenix.pub${NC}"
fi
echo -e "${GREEN}Run the createKeys command to generate the missing keys.${NC}"
exit 1
fi
}
lint_keys

68
apps/x86_64-darwin/copy-keys
View File

@@ -1,68 +0,0 @@
#!/usr/bin/env bash
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'
username=${USER}
export SSH_DIR=/Users/${username}/.ssh
handle_no_usb() {
echo -e ${RED}No USB drive found or mounted.${NC}"
echo -e ${GREEN}If you have not yet set up your keys, run the script to generate new SSH keys.${NC}"
exit 1
}
mount_usb() {
MOUNT_PATH=""
for dev in $(diskutil list | grep -o 'disk[0-9]'); do
MOUNT_PATH="$(diskutil info /dev/${dev} | grep \"Mount Point\" | awk -F: '{print $2}' | xargs)"
if [ -n "${MOUNT_PATH}" ]; then
echo -e "${GREEN}USB drive found at ${MOUNT_PATH}.${NC}"
break
fi
done
if [ -z "${MOUNT_PATH}" ]; then
echo -e "${RED}No USB drive found.${NC}"
fi
}
copy_keys() {
if [ -n "${MOUNT_PATH}" ]; then
cp "${MOUNT_PATH}/id_ed25519_agenix.pub" ${SSH_DIR}
cp "${MOUNT_PATH}/id_ed25519_agenix" ${SSH_DIR}
chmod 600 ${SSH_DIR}/id_ed25519_{agenix,agenix.pub}
else
echo -e "${RED}No USB drive found. Aborting.${NC}"
exit 1
fi
}
setup_ssh_directory() {
mkdir -p ${SSH_DIR}
}
set_keys() {
cp ${MOUNT_PATH}/id_ed25519_github.pub ${SSH_DIR}/id_ed25519.pub
cp ${MOUNT_PATH}/id_ed25519_github ${SSH_DIR}/id_ed25519
chmod 600 ${SSH_DIR}/id_ed25519
chmod 644 ${SSH_DIR}/id_ed25519.pub
}
change_ownership() {
chown ${username}:staff ${SSH_DIR}/id_ed25519{,.pub}
chown ${username}:staff ${SSH_DIR}/id_ed25519_{agenix,agenix.pub}
}
setup_ssh_directory
mount_usb
if [ -z "${MOUNT_PATH}" ]; then
handle_no_usb
else
copy_keys
set_keys
change_ownership
fi

46
apps/x86_64-darwin/create-keys
View File

@@ -1,46 +0,0 @@
#!/usr/bin/env bash
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'
username=${USER}
export SSH_DIR=/Users/${username}/.ssh
setup_ssh_directory() {
mkdir -p ${SSH_DIR}
}
prompt_for_key_generation() {
local key_name=$1
if [[ -f "${SSH_DIR}/${key_name}" ]]; then
echo -e "${RED}Existing SSH key found for ${key_name}.${NC}"
cat "${SSH_DIR}/${key_name}.pub"
read -p "Do you want to replace it? (y/n) " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
return 0 # Indicate key should be replaced
else
return 1 # Indicate key should be kept
fi
fi
return 0 # Indicate no key exists, so it should be created
}
generate_key() {
local key_name=$1
if prompt_for_key_generation "$key_name"; then
ssh-keygen -t ed25519 -f "${SSH_DIR}/${key_name}" -N ""
chown ${username}:staff "${SSH_DIR}/${key_name}"{,.pub}
else
echo -e "${GREEN}Kept existing ${key_name}.${NC}"
fi
}
setup_ssh_directory
generate_key "id_ed25519"
generate_key "id_ed25519_agenix"
echo -e "${GREEN}SSH key setup complete.${NC}"
echo -e "${GREEN}Remember to add the necessary keys to Github or other services as required.${NC}"

23
flake.lock generated
View File

@@ -396,7 +396,8 @@
"nix-homebrew": "nix-homebrew",
"nixd": "nixd",
"nixpkgs": "nixpkgs_6",
"secrets": "secrets"
"secrets": "secrets",
"sops-nix": "sops-nix"
}
},
"secrets": {
@@ -411,6 +412,26 @@
},
"parent": []
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1746485181,
"narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "e93ee1d900ad264d65e9701a5c6f895683433386",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,

13
flake.nix
View File

@@ -4,9 +4,6 @@
nixpkgs = {
url = "github:nixos/nixpkgs/nixos-unstable";
};
agenix = {
url = "github:ryantm/agenix";
};
home-manager = {
url = "github:nix-community/home-manager";
};
@@ -40,6 +37,10 @@
url = "git@git.kolkman.org:olaf/nix-config-secrets.git";
flake = false;
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{
@@ -52,9 +53,9 @@
home-manager,
nixpkgs,
disko,
agenix,
secrets,
nixd,
sops-nix,
}@inputs:
let
user = "olaf";
@@ -79,8 +80,6 @@
nativeBuildInputs = with pkgs; [
bashInteractive
git
age
age-plugin-yubikey
];
shellHook = with pkgs; ''
export EDITOR=vim
@@ -132,6 +131,7 @@
inherit system;
specialArgs = inputs;
modules = [
# sops-nix.nixosModules.sops
home-manager.darwinModules.home-manager
nix-homebrew.darwinModules.nix-homebrew
{
@@ -158,6 +158,7 @@
inherit system;
specialArgs = inputs;
modules = [
sops-nix.nixosModules.sops
disko.nixosModules.disko
home-manager.nixosModules.home-manager
{

5
hosts/darwin/default.nix
View File

@@ -1,5 +1,4 @@
{
agenix,
config,
pkgs,
...
@@ -22,10 +21,9 @@ in
};
imports = [
../../modules/darwin/secrets.nix
../../modules/darwin/home-manager.nix
../../modules/shared
agenix.darwinModules.default
];
# Setup user, packages, programs
@@ -67,7 +65,6 @@ in
with pkgs;
[
emacs-unstable
agenix.packages."${pkgs.system}".default
]
++ (import ../../modules/shared/packages.nix { inherit pkgs; })

4
hosts/nixos/default.nix
View File

@@ -2,7 +2,6 @@
config,
inputs,
pkgs,
agenix,
...
}:
@@ -12,10 +11,8 @@ let
in
{
imports = [
../../modules/nixos/secrets.nix
../../modules/nixos/disk-config.nix
../../modules/shared
agenix.nixosModules.default
];
# Use the systemd-boot EFI boot loader.
@@ -337,7 +334,6 @@ in
];
environment.systemPackages = with pkgs; [
agenix.packages."${pkgs.system}".default # "x86_64-linux"
gitAndTools.gitFull
inetutils
];

37
modules/darwin/secrets.nix
View File

@@ -1,37 +0,0 @@
{ config, pkgs, agenix, secrets, ... }:
let user = "olaf"; in
{
age.identityPaths = [
"/Users/${user}/.ssh/id_ed25519"
];
# Your secrets go here
#
# Note: the installWithSecrets command you ran to boostrap the machine actually copies over
# a Github key pair. However, if you want to store the keypair in your nix-secrets repo
# instead, you can reference the age files and specify the symlink path here. Then add your
# public key in shared/files.nix.
#
# If you change the key name, you'll need to update the SSH configuration in shared/home-manager.nix
# so Github reads it correctly.
#
# age.secrets."github-ssh-key" = {
# symlink = true;
# path = "/Users/${user}/.ssh/id_github";
# file = "${secrets}/github-ssh-key.age";
# mode = "600";
# owner = "${user}";
# group = "staff";
# };
# age.secrets."github-signing-key" = {
# symlink = false;
# path = "/Users/${user}/.ssh/pgp_github.key";
# file = "${secrets}/github-signing-key.age";
# mode = "600";
# owner = "${user}";
# };
}

2
modules/shared/packages.nix
View File

@@ -26,7 +26,7 @@ with pkgs;
# Encryption and security tools
age
age-plugin-yubikey
sops
gnupg
libfido2