Set up a first secret

This commit is contained in:
Nicolas Jeannerod 2024-12-11 13:26:38 +01:00
parent ed26839078
commit 5771c14249
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
5 changed files with 107 additions and 0 deletions

View file

@ -18,6 +18,9 @@ details as to what they are for. As an overview:
- [`matrix/`](./matrix) contains everything having to do with setting up a - [`matrix/`](./matrix) contains everything having to do with setting up a
fully-featured Matrix server. fully-featured Matrix server.
- [`secrets/`](./secrets) contains the secrets that need to get injected into
machine configurations.
- [`server/`](./server) contains the configuration of the VM hosting the - [`server/`](./server) contains the configuration of the VM hosting the
website. This should be integrated into `infra/` shortly in the future, as website. This should be integrated into `infra/` shortly in the future, as
tracked in https://git.fediversity.eu/Fediversity/Fediversity/issues/31. tracked in https://git.fediversity.eu/Fediversity/Fediversity/issues/31.

View file

@ -48,6 +48,7 @@
optin = [ optin = [
"deployment" "deployment"
"infra" "infra"
"secrets"
"services" "services"
]; ];
files = "^((" + concatStringsSep "|" optin + ")/.*\\.nix|[^/]*\\.nix)$"; files = "^((" + concatStringsSep "|" optin + ")/.*\\.nix|[^/]*\\.nix)$";

49
secrets/README.md Normal file
View file

@ -0,0 +1,49 @@
# Secrets
Secrets are handled using [Agenix](https://github.com/ryantm/agenix).
## Cheat sheet
### Adding a secret
As an example, let us add a secret in a file “cheeses” whose content should be
“best ones come unpasteurised”.
1. Edit [`secrets.nix`](./secrets.nix), adding a field to the final record with
the file name mapped to the systems that should be able to decrypt the
secret, for instance:
```nix
cheeses = [ vm02116 forgejo-ci ];
```
2. Run Agenix to add the content of the file. Agenix is provided by the
development Shell but can also be run directly with `nix run
github:ryantm/agenix --`. Run `agenix -e cheeses.age` (with the `.age`
extension); this will open your `$EDITOR` ; enter “best ones come
unpasteurised”, save and close.
3. If you are doing something flake-related such as NixOps4, do not forget to
commit or at least stage the secret.
4. In the machine's configuration, load the Agenix NixOS module, declare your
secret, possibly with owner/group, and use it where necessary, eg.:
```nix
{ config, ... }:
{
imports = [ inputs.agenix.x86_64-linux.nixosModules.default ];
age.secrets.cheeses.file = ../secrets/cheeses.age;
# age.secrets.cheeses.owner = "jeanpierre";
# age.secrets.cheeses.group = "france";
# age.secrets.cheeses.mode = "440";
services.imaginaryCheeseFactory.frenchSecretFile = config.age.secrets.cheeses.path;
}
```
5. Never read the content of the file in Nix, that is never do anything like:
```nix
services.imaginaryCheeseFactory.frenchSecret = readFile config.age.secrets.cheeses.path;
```
This will put the secret as a world-readable file in the Nix store. The
service that you are using must be able to read from a file at runtime, and
if the NixOS default module options do not provide that, you must find a way
around it.

View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 1MUEqQ 5Bvi8UvLbifM2vlDOr4NRaZLRfIg6kAPY0oiwiSy50o
TnbS5BHO4hmjs7Ux9rRMzK9ahsIkU9GpmAx59MzIpI0
-> ssh-ed25519 h0QWFg 4Cu85VZM6zyysIYwMFccXUWUGejkylHiytJA4+2nN1Q
e8XuOUfrOZ6xoWNK4gvVgs0H5pgtqUfrv/DBeh1WIsU
-> ssh-ed25519 pJV4iw JQgQMTxfDZ/26In72UHPU+k0ZGBK1DRQWoOwfxS0xwI
8De1c3d95ySwjqjQn9rHlYDfMDTHct1kbyjVx+8EZyA
--- neht26C0cEHeTGVa+epEwoO+oqXvyO94xwp25zAX6wY
¡DèN¯+ÛVâU8©Ø¼Qv©Ò<C2A9>¾þAð~Ž+ûáÄ<C3A1>³L©wª`<60>ó<EFBFBD>üE©XfV®¿©¥0@ùqHj
βRGOY
.?Då9ƒ<39>O[%\

43
secrets/secrets.nix Normal file
View file

@ -0,0 +1,43 @@
let
pkgs = import <nixpkgs> { system = builtins.currentSystem; };
inherit (pkgs.lib.attrsets) concatMapAttrs;
##############################################################################
## Contributor personal keys
##
## All the contributors in this list WILL be able to decrypt ALL the encrypted
## `.age` files.
contributors = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY niols@wallace"
];
##############################################################################
## System host keys
##
## Machines in this list MAY be mentioned later on as able to decrypt some of
## the encrypted `.age` files.
vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM";
vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW";
##############################################################################
in
concatMapAttrs
(name: keys: {
"${name}.age".publicKeys = contributors ++ keys;
})
##############################################################################
## File name <-> system host keys mapping
##
## This attribute set defines precisely which secrets exist and which systems
## are able to decrypt them.
{
forgejo-runner-token = [
vm02179
vm02186
];
}