Set up a first secret

2024-12-11 13:26:38 +01:00 · 2024-12-11 13:26:38 +01:00 · 5771c14249
commit 5771c14249
parent ed26839078
5 changed files with 107 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -18,6 +18,9 @@ details as to what they are for. As an overview:
 - [`matrix/`](./matrix) contains everything having to do with setting up a
  fully-featured Matrix server.

+- [`secrets/`](./secrets) contains the secrets that need to get injected into
+  machine configurations.
+
 - [`server/`](./server) contains the configuration of the VM hosting the
  website. This should be integrated into `infra/` shortly in the future, as
  tracked in https://git.fediversity.eu/Fediversity/Fediversity/issues/31.
--- a/flake.nix
+++ b/flake.nix
@ -48,6 +48,7 @@
              optin = [
                "deployment"
                "infra"
+                "secrets"
                "services"
              ];
              files = "^((" + concatStringsSep "|" optin + ")/.*\\.nix|[^/]*\\.nix)$";
--- a/secrets/README.md
+++ b/secrets/README.md
@ -0,0 +1,49 @@
+# Secrets
+
+Secrets are handled using [Agenix](https://github.com/ryantm/agenix).
+
+## Cheat sheet
+
+### Adding a secret
+
+As an example, let us add a secret in a file “cheeses” whose content should be
+“best ones come unpasteurised”.
+
+1. Edit [`secrets.nix`](./secrets.nix), adding a field to the final record with
+   the file name mapped to the systems that should be able to decrypt the
+   secret, for instance:
+   ```nix
+   cheeses = [ vm02116 forgejo-ci ];
+   ```
+
+2. Run Agenix to add the content of the file. Agenix is provided by the
+   development Shell but can also be run directly with `nix run
+   github:ryantm/agenix --`. Run `agenix -e cheeses.age` (with the `.age`
+   extension); this will open your `$EDITOR` ; enter “best ones come
+   unpasteurised”, save and close.
+
+3. If you are doing something flake-related such as NixOps4, do not forget to
+   commit or at least stage the secret.
+
+4. In the machine's configuration, load the Agenix NixOS module, declare your
+   secret, possibly with owner/group, and use it where necessary, eg.:
+   ```nix
+   { config, ... }:
+   {
+     imports = [ inputs.agenix.x86_64-linux.nixosModules.default ];
+     age.secrets.cheeses.file = ../secrets/cheeses.age;
+     # age.secrets.cheeses.owner = "jeanpierre";
+     # age.secrets.cheeses.group = "france";
+     # age.secrets.cheeses.mode = "440";
+     services.imaginaryCheeseFactory.frenchSecretFile = config.age.secrets.cheeses.path;
+   }
+   ```
+
+5. Never read the content of the file in Nix, that is never do anything like:
+   ```nix
+   services.imaginaryCheeseFactory.frenchSecret = readFile config.age.secrets.cheeses.path;
+   ```
+   This will put the secret as a world-readable file in the Nix store. The
+   service that you are using must be able to read from a file at runtime, and
+   if the NixOS default module options do not provide that, you must find a way
+   around it.
--- a/secrets/forgejo-runner-token.age
+++ b/secrets/forgejo-runner-token.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 1MUEqQ 5Bvi8UvLbifM2vlDOr4NRaZLRfIg6kAPY0oiwiSy50o
+TnbS5BHO4hmjs7Ux9rRMzK9ahsIkU9GpmAx59MzIpI0
+-> ssh-ed25519 h0QWFg 4Cu85VZM6zyysIYwMFccXUWUGejkylHiytJA4+2nN1Q
+e8XuOUfrOZ6xoWNK4gvVgs0H5pgtqUfrv/DBeh1WIsU
+-> ssh-ed25519 pJV4iw JQgQMTxfDZ/26In72UHPU+k0ZGBK1DRQWoOwfxS0xwI
+8De1c3d95ySwjqjQn9rHlYDfMDTHct1kbyjVx+8EZyA
+--- neht26C0cEHeTGVa+epEwoO+oqXvyO94xwp25zAX6wY
+¡DèN¯+ÛVâU8©Ø¼Qv©Ò<C2A9>¾þAð‹~Ž+ûáÄ<C3A1>³L©wª`<60>ó<EFBFBD>üE©XfV®¿©¥0@ùqHj
+Î²RGOY
+.?Då9ƒ<39>O[%\
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,43 @@
+let
+  pkgs = import <nixpkgs> { system = builtins.currentSystem; };
+  inherit (pkgs.lib.attrsets) concatMapAttrs;
+
+  ##############################################################################
+  ## Contributor personal keys
+  ##
+  ## All the contributors in this list WILL be able to decrypt ALL the encrypted
+  ## `.age` files.
+
+  contributors = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY niols@wallace"
+  ];
+
+  ##############################################################################
+  ## System host keys
+  ##
+  ## Machines in this list MAY be mentioned later on as able to decrypt some of
+  ## the encrypted `.age` files.
+
+  vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM";
+  vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW";
+
+  ##############################################################################
+
+in
+concatMapAttrs
+  (name: keys: {
+    "${name}.age".publicKeys = contributors ++ keys;
+  })
+
+  ##############################################################################
+  ## File name <-> system host keys mapping
+  ##
+  ## This attribute set defines precisely which secrets exist and which systems
+  ## are able to decrypt them.
+
+  {
+    forgejo-runner-token = [
+      vm02179
+      vm02186
+    ];
+  }