forked from Fediversity/Fediversity
Set up a first secret
This commit is contained in:
parent
ed26839078
commit
5771c14249
|
@ -18,6 +18,9 @@ details as to what they are for. As an overview:
|
||||||
- [`matrix/`](./matrix) contains everything having to do with setting up a
|
- [`matrix/`](./matrix) contains everything having to do with setting up a
|
||||||
fully-featured Matrix server.
|
fully-featured Matrix server.
|
||||||
|
|
||||||
|
- [`secrets/`](./secrets) contains the secrets that need to get injected into
|
||||||
|
machine configurations.
|
||||||
|
|
||||||
- [`server/`](./server) contains the configuration of the VM hosting the
|
- [`server/`](./server) contains the configuration of the VM hosting the
|
||||||
website. This should be integrated into `infra/` shortly in the future, as
|
website. This should be integrated into `infra/` shortly in the future, as
|
||||||
tracked in https://git.fediversity.eu/Fediversity/Fediversity/issues/31.
|
tracked in https://git.fediversity.eu/Fediversity/Fediversity/issues/31.
|
||||||
|
|
|
@ -48,6 +48,7 @@
|
||||||
optin = [
|
optin = [
|
||||||
"deployment"
|
"deployment"
|
||||||
"infra"
|
"infra"
|
||||||
|
"secrets"
|
||||||
"services"
|
"services"
|
||||||
];
|
];
|
||||||
files = "^((" + concatStringsSep "|" optin + ")/.*\\.nix|[^/]*\\.nix)$";
|
files = "^((" + concatStringsSep "|" optin + ")/.*\\.nix|[^/]*\\.nix)$";
|
||||||
|
|
49
secrets/README.md
Normal file
49
secrets/README.md
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
# Secrets
|
||||||
|
|
||||||
|
Secrets are handled using [Agenix](https://github.com/ryantm/agenix).
|
||||||
|
|
||||||
|
## Cheat sheet
|
||||||
|
|
||||||
|
### Adding a secret
|
||||||
|
|
||||||
|
As an example, let us add a secret in a file “cheeses” whose content should be
|
||||||
|
“best ones come unpasteurised”.
|
||||||
|
|
||||||
|
1. Edit [`secrets.nix`](./secrets.nix), adding a field to the final record with
|
||||||
|
the file name mapped to the systems that should be able to decrypt the
|
||||||
|
secret, for instance:
|
||||||
|
```nix
|
||||||
|
cheeses = [ vm02116 forgejo-ci ];
|
||||||
|
```
|
||||||
|
|
||||||
|
2. Run Agenix to add the content of the file. Agenix is provided by the
|
||||||
|
development Shell but can also be run directly with `nix run
|
||||||
|
github:ryantm/agenix --`. Run `agenix -e cheeses.age` (with the `.age`
|
||||||
|
extension); this will open your `$EDITOR` ; enter “best ones come
|
||||||
|
unpasteurised”, save and close.
|
||||||
|
|
||||||
|
3. If you are doing something flake-related such as NixOps4, do not forget to
|
||||||
|
commit or at least stage the secret.
|
||||||
|
|
||||||
|
4. In the machine's configuration, load the Agenix NixOS module, declare your
|
||||||
|
secret, possibly with owner/group, and use it where necessary, eg.:
|
||||||
|
```nix
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
imports = [ inputs.agenix.x86_64-linux.nixosModules.default ];
|
||||||
|
age.secrets.cheeses.file = ../secrets/cheeses.age;
|
||||||
|
# age.secrets.cheeses.owner = "jeanpierre";
|
||||||
|
# age.secrets.cheeses.group = "france";
|
||||||
|
# age.secrets.cheeses.mode = "440";
|
||||||
|
services.imaginaryCheeseFactory.frenchSecretFile = config.age.secrets.cheeses.path;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
5. Never read the content of the file in Nix, that is never do anything like:
|
||||||
|
```nix
|
||||||
|
services.imaginaryCheeseFactory.frenchSecret = readFile config.age.secrets.cheeses.path;
|
||||||
|
```
|
||||||
|
This will put the secret as a world-readable file in the Nix store. The
|
||||||
|
service that you are using must be able to read from a file at runtime, and
|
||||||
|
if the NixOS default module options do not provide that, you must find a way
|
||||||
|
around it.
|
11
secrets/forgejo-runner-token.age
Normal file
11
secrets/forgejo-runner-token.age
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 1MUEqQ 5Bvi8UvLbifM2vlDOr4NRaZLRfIg6kAPY0oiwiSy50o
|
||||||
|
TnbS5BHO4hmjs7Ux9rRMzK9ahsIkU9GpmAx59MzIpI0
|
||||||
|
-> ssh-ed25519 h0QWFg 4Cu85VZM6zyysIYwMFccXUWUGejkylHiytJA4+2nN1Q
|
||||||
|
e8XuOUfrOZ6xoWNK4gvVgs0H5pgtqUfrv/DBeh1WIsU
|
||||||
|
-> ssh-ed25519 pJV4iw JQgQMTxfDZ/26In72UHPU+k0ZGBK1DRQWoOwfxS0xwI
|
||||||
|
8De1c3d95ySwjqjQn9rHlYDfMDTHct1kbyjVx+8EZyA
|
||||||
|
--- neht26C0cEHeTGVa+epEwoO+oqXvyO94xwp25zAX6wY
|
||||||
|
¡DèN¯+ÛVâU8©Ø¼Qv©Ò<C2A9>¾þAð‹~Ž+ûáÄ<C3A1>³L©wª`<60>ó<EFBFBD>üE©XfV®¿©¥0@ùqHj
|
||||||
|
βRGOY
|
||||||
|
.?Då9ƒ<39>O[%\
|
43
secrets/secrets.nix
Normal file
43
secrets/secrets.nix
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
let
|
||||||
|
pkgs = import <nixpkgs> { system = builtins.currentSystem; };
|
||||||
|
inherit (pkgs.lib.attrsets) concatMapAttrs;
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
## Contributor personal keys
|
||||||
|
##
|
||||||
|
## All the contributors in this list WILL be able to decrypt ALL the encrypted
|
||||||
|
## `.age` files.
|
||||||
|
|
||||||
|
contributors = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY niols@wallace"
|
||||||
|
];
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
## System host keys
|
||||||
|
##
|
||||||
|
## Machines in this list MAY be mentioned later on as able to decrypt some of
|
||||||
|
## the encrypted `.age` files.
|
||||||
|
|
||||||
|
vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM";
|
||||||
|
vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW";
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
in
|
||||||
|
concatMapAttrs
|
||||||
|
(name: keys: {
|
||||||
|
"${name}.age".publicKeys = contributors ++ keys;
|
||||||
|
})
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
## File name <-> system host keys mapping
|
||||||
|
##
|
||||||
|
## This attribute set defines precisely which secrets exist and which systems
|
||||||
|
## are able to decrypt them.
|
||||||
|
|
||||||
|
{
|
||||||
|
forgejo-runner-token = [
|
||||||
|
vm02179
|
||||||
|
vm02186
|
||||||
|
];
|
||||||
|
}
|
Loading…
Reference in a new issue