secrets: replace agenix with sops and sops-nix

2025-01-30 22:57:55 +00:00 · 2022-07-17 09:36:29 +08:00 · 2022-07-17 09:36:29 +08:00 · 10131d58be
commit 10131d58be
parent ffd2d84b7d
18 changed files with 133 additions and 71 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -4,6 +4,6 @@ root = true
 end_of_line = lf
 insert_final_newline = true

-[*.nix]
+[*.{nix,yaml,json}]
 indent_style = space
 indent_size = 2
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
+*.yaml diff=sopsfilter
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,14 @@
+keys:
+  - &foo-dogsquared 8FCE86932583783E515B6FE55F2B001E20ED3763
+  - &foo-dogsquared-age age1say65zc678yc03tx4zexp20c9gvskvwrm4390j4x2jkepn97duhq9ptuj9
+  - &ni age1dm9xugju4q5gx0zty8ckw655ea904c64gv9qw9fn3lu507ck8uzsag59y8
+creation_rules:
+  - path_regex: hosts/ni/secrets/[^/]+\.(yaml|json)$
+    age: *ni
+  - path_regex: secrets/[^/]+\.(yaml|json)$
+    key_groups:
+      - age:
+        - *foo-dogsquared-age
+        - *ni
+        pgp:
+        - *foo-dogsquared
--- a/README.adoc
+++ b/README.adoc
@ -134,8 +134,7 @@ For more information, see the link:./modules/README.adoc[related documentation].
 * link:./pkgs/[`./pkgs/`] contains my custom packages.
 It is exported in the flakes at `outputs.packages` compiled through various systems.

-* link:./secrets/[`./secrets/`] contains my secrets managed with link:https://github.com/ryantm/agenix[agenix].
-footnote:[It is advised you should minimize SSH keys with passphrases since it is annoying to reenter passwords every time.]
+* link:./secrets/[`./secrets/`] contains my secrets managed with link:https://github.com/mozilla/sops[sops] and link:https://github.com/Mic92/sops-nix[sops-nix].

 * link:./shells/[`./shells/`] contains my development shells for interacting with the usual type of projects.
 Setting this up can bring benefits outside of NixOS (unless you're interacting with projects with any OpenGL-related stuff).
--- a/flake.lock
+++ b/flake.lock
@ -1,25 +1,5 @@
 {
  "nodes": {
-    "agenix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1652712410,
-        "narHash": "sha256-hMJ2TqLt0DleEnQFGUHK9sV2aAzJPU8pZeiZoqRozbE=",
-        "owner": "ryantm",
-        "repo": "agenix",
-        "rev": "7e5e58b98c3dcbf497543ff6f22591552ebfe65b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ryantm",
-        "repo": "agenix",
-        "type": "github"
-      }
-    },
    "base16-schemes": {
      "flake": false,
      "locked": {
@ -348,6 +328,22 @@
        "type": "github"
      }
    },
+    "nixpkgs-22_05": {
+      "locked": {
+        "lastModified": 1657399715,
+        "narHash": "sha256-7YX+I8FP3/iJTRs33VhIbdx91YWlZQf8zaEEeM97964=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0ad6eae04953060dff8ba28af158799c3e13878d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-22.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nur": {
      "locked": {
        "lastModified": 1657837635,
@ -390,7 +386,6 @@
    },
    "root": {
      "inputs": {
-        "agenix": "agenix",
        "devshell": "devshell",
        "dotfiles": "dotfiles",
        "emacs-overlay": "emacs-overlay",
@ -404,7 +399,8 @@
        "nixos-generators": "nixos-generators",
        "nixpkgs": "nixpkgs",
        "nur": "nur",
-        "rust-overlay": "rust-overlay"
+        "rust-overlay": "rust-overlay",
+        "sops-nix": "sops-nix"
      }
    },
    "rust-overlay": {
@ -430,6 +426,27 @@
        "type": "github"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-22_05": "nixpkgs-22_05"
+      },
+      "locked": {
+        "lastModified": 1657695756,
+        "narHash": "sha256-5eeq7Itk9gMK6E5u3IrooFd3KswlheIO/L2Cs7Wwj9k=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "912514e60a6e0227d6a2e0ecc8524752337fcde2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "utils": {
      "locked": {
        "lastModified": 1652372896,
--- a/flake.nix
+++ b/flake.nix
@ -41,8 +41,8 @@
    nixos-generators.inputs.nixpkgs.follows = "nixpkgs";

    # Managing your secrets.
-    agenix.url = "github:ryantm/agenix";
-    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";

    # Easy access to development environments.
    devshell.url = "github:numtide/devshell";
@ -119,10 +119,10 @@
        # Only use imports as minimally as possible with the absolute
        # requirements of a host.
        imports = [
-          inputs.agenix.nixosModules.age
          inputs.home-manager.nixosModules.home-manager
          inputs.nix-ld.nixosModules.nix-ld
          inputs.nur.nixosModules.nur
+          inputs.sops-nix.nixosModules.sops
        ];

        # Bleeding edge, baybee!
@ -139,7 +139,6 @@
          # All of the important flakes will be included.
          nixpkgs.flake = nixpkgs;
          home-manager.flake = inputs.home-manager;
-          agenix.flake = inputs.agenix;
          nur.flake = inputs.nur;
          guix-overlay.flake = inputs.guix-overlay;
          nixos-generators.flake = inputs.nixos-generators;
@ -201,7 +200,7 @@
          lib'.modulesToList (lib'.filesToAttr ./modules/home-manager);
        home-manager.extraSpecialArgs = { inherit inputs system self; };

-        # Enabling some things for agenix.
+        # Enabling some things for sops.
        programs.gnupg.agent = {
          enable = true;
          enableSSHSupport = true;
--- a/modules/nixos/tasks/backup-archive/borg-ssh-key.pub
+++ b/modules/nixos/tasks/backup-archive/borg-ssh-key.pub
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1IdisweU/qW+Np36K1WoR+RsPSyG6JcLNp96m1rDWx foo-dogsquared@ni
--- a/modules/nixos/tasks/backup-archive/borgbase-ssh-key.pub
+++ b/modules/nixos/tasks/backup-archive/borgbase-ssh-key.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFOZzSBe/YHUfpCKfKM7BC60i3t2K3euiw2P6VEfe7kI Borgbase backup
--- a/modules/nixos/tasks/backup-archive/default.nix
+++ b/modules/nixos/tasks/backup-archive/default.nix
@ -10,7 +10,7 @@ let
    doInit = true;
    encryption = {
      mode = "repokey-blake2";
-      passCommand = "cat ${config.age.secrets.borg-password.path}";
+      passCommand = "cat ${config.sops.secrets.borg-password.path}";
    };
    extraCreateArgs = lib.concatStringsSep " "
      (builtins.map (patternFile: "--patterns-from ${patternFile}") patterns);
@ -41,11 +41,17 @@ in {
    lib.mkEnableOption "backup setup with BorgBackup";

  config = lib.mkIf cfg.enable {
-    age.secrets.borg-password.file = lib.getSecret "archive/password";
-    age.secrets.borg-patterns.file = lib.getSecret "archive/borg-patterns";
-    age.secrets.borg-patterns-local.file =
-      lib.getSecret "archive/borg-patterns-local";
-    age.secrets.borg-ssh-key.file = lib.getSecret "archive/borg-ssh-key";
+    sops.secrets = let
+      getKey = key: {
+        inherit key;
+        sopsFile = lib.getSecret "backup-archive.yaml";
+      }; in {
+      borg-patterns-home = getKey "borg-patterns/home";
+      borg-patterns-etc = getKey "borg-patterns/etc";
+      borg-patterns-keys = getKey "borg-patterns/keys";
+      borg-ssh-key = getKey "ssh-key";
+      borg-password = getKey "password";
+    };

    fileSystems."/mnt/external-storage" = {
      device = "/dev/disk/by-uuid/665A391C5A38EB07";
@ -92,8 +98,9 @@ in {
    services.borgbackup.jobs = {
      local-archive = borgJobCommonSetting {
        patterns = [
-          config.age.secrets.borg-patterns-local.path
-          config.age.secrets.borg-patterns.path
+          config.sops.secrets.borg-patterns-home.path
+          config.sops.secrets.borg-patterns-etc.path
+          config.sops.secrets.borg-patterns-keys.path
        ];
      } // {
        doInit = false;
@ -104,8 +111,9 @@ in {

      local-external-drive = borgJobCommonSetting {
        patterns = [
-          config.age.secrets.borg-patterns-local.path
-          config.age.secrets.borg-patterns.path
+          config.sops.secrets.borg-patterns-home.path
+          config.sops.secrets.borg-patterns-etc.path
+          config.sops.secrets.borg-patterns-keys.path
        ];
      } // {
        doInit = false;
@ -115,17 +123,17 @@ in {
      };

      remote-borgbase = borgJobCommonSetting {
-        patterns = [ config.age.secrets.borg-patterns.path ];
+        patterns = [ config.sops.secrets.borg-patterns-home.path ];
      } // {
        repo = "r6o30viv@r6o30viv.repo.borgbase.com:repo";
        startAt = "daily";
-        environment.BORG_RSH = "ssh -i ${config.age.secrets.borg-ssh-key.path}";
+        environment.BORG_RSH = "ssh -i ${config.sops.secrets.borg-ssh-key.path}";
      };
    };

    programs.ssh.extraConfig = ''
      Host *.repo.borgbase.com
-       IdentityFile ${config.age.secrets.borg-ssh-key.path}
+       IdentityFile ${config.sops.secrets.borg-ssh-key.path}
    '';
  };
 }
--- a/secrets/README.adoc
+++ b/secrets/README.adoc
@ -2,4 +2,6 @@
 :toc:

 My secret files in public!
-This is managed through link:https://github.com/ryantm/agenix[agenix] (thus, uses the link:https://github.com/FiloSottile/age[age encryption tool]).
+All hail secret management tools!
+
+In my case, this is managed by link:https://github.com/mozilla/sops[sops] and link:https://github.com/Mic92/sops-nix[sops-nix] for integrating it with my NixOS setup.
--- a/secrets/archive/borg-patterns
+++ b/secrets/archive/borg-patterns
--- a/secrets/archive/borg-patterns-local
+++ b/secrets/archive/borg-patterns-local
--- a/secrets/archive/borg-ssh-key
+++ b/secrets/archive/borg-ssh-key
--- a/secrets/archive/key
+++ b/secrets/archive/key
--- a/secrets/archive/password
+++ b/secrets/archive/password
--- a/secrets/backup-archive.yaml
+++ b/secrets/backup-archive.yaml
@ -0,0 +1,47 @@
+password: ENC[AES256_GCM,data:IR+V7h8gdNXfEkDjjAF+T+isVzJFPHfzxAv/MPukdm5+3/Yt,iv:NY8bvHG/FkT6LWq6YQ087cr4YAEu4sjTGWw1yb1z5cg=,tag:baxiViXssOjpV1FqVHA2ow==,type:str]
+ssh-key: ENC[AES256_GCM,data:MDKZC4QMcfoXLtmTQYUXmz7vAFVKhcLACiQp3DzyeIle3FykNuvD/i5TLmqDclMHAcIfBb7yOCTPL/+hIvXRbU25btqWTc/i48RjYTvbpkVKQyyb7lBCmgeMHPoFNpSeu+NluelUpicQv2zOhIgG+LInQsDSy6uZuEnAEDh/MkCrch9G5DOQ1fGFcmRnpReKPNShkFaEnwiT0iYfQ/ksAvJlRS+szphWCcP6phwGWINETXyIQVekvnPp4pcioFtQ2sIZoLEkcOnhloNoSXs/hrqDaxgbEc7biITy+FCDU0M/qMVHiS8pE9Sb443MpmCSx84pm+kcgRpKPLqhhcf/PB0wLLGDvBD4Wv+0cmgGdKEKaZxvoTcYuCplvMKfRCzOGCDliBUGEy9gU/E8QCNNxC1OokhJFPs0b6YiHTAv+n+z48lRMojaKfmA5sRhiAh2mbiQerga8Tf3pEhtDW2myR3zrXYsJH2201F1j8O4TSQrXjvwC4ZeaIrzC1zYHXbTlNykdopv++M9U5BxRptBrAG5MgoQablsV3cH,iv:mIXPJIZ1z9xnoja+zQcHvVLLCWn3YMdVFKkhadbWCjY=,tag:Z/c2LB/mTaY8MzDfLjLrDQ==,type:str]
+borg-patterns:
+    home: ENC[AES256_GCM,data:Vmz2TVmoQKasF91OKJO860WPO4VuBm3U3u9izzZecRGDWfIaZU7Li2CoxtO2XX4Pq3EEgo9+/QoW2ZRJCnm2ws+/4hb8e7UNVuO/DwAGTXmvCaxEi3u/7La6WOl2FMZVg8QFbYUE6rPoyXfm/iTYZhry5g0jzb6yNJt4IisH2y4HZ++xJndv2eeKfwbwyEUuLfYOdtSB6QG5bS3jwxz6dNH0NHZHRkOpKKyLfo3qzSfRVMM6qMWeqB86uQmJYKQgNsQyJBjWQfx8Qhzu7iZGMy7SFmS2eiftXt3B480ea2F0mcDrJTkkmq3TIRkUIPnwQXrdOZArlWzY8fdcpIA6/lOJW/t+yQcCTf8YAWzg8gTVsHldeiRRzuGgHF5At09FBNJWoIhhOUw+yjUdASJq2IaCkHDBzBGvnPry6Pn8PSZ7los5++4bRbZq/S5FJL4ODr0XBkBUXEvSaq8pUwKHOUbYvUbslA+tnr+bi6dysDRaAbjLxAhZ9k7r8US5EM0XArVp2C2TSLtin6urwP+hcqwV1zp7g2fmralggwyXlpIYOb5annm9mU4rnhz/D18WBN5u3Y+h3RBI3eY08JjvDxbDHMTF/0nc5qvWpznoMm6zrtJeF3/+sB46Wq2PAdwd5WV37Ob+aV6Dp69qqaOsynR/qDXJwOKhR8QuftLD0WQ9qdEvZUYwT1+M7QR6LeN9KTssiu9ov1uxVdua2vBsbTEGrPkWWmHI17l08YAO9FT2L1vwKhWqolBQ7BwVzDO/f+6Uv8ItnygIa/iH6govdE3cyddNIgGcbdak8E6Vz3R8ZW0ptaWOFH2hQ5AD0mvBbtdCLizNm5xMRlFKg5L1p/H4aZrPafr7PtcjjK9/tJ7BhFdYWMOZ8xL/tDsoWI7W4jWM0w==,iv:gg7vbrzukPJj5WEL55gzX+EghZps5+rSJbWiCzJFE28=,tag:HYxQlwGM0de8lht9w+iiWA==,type:str]
+    etc: ENC[AES256_GCM,data:RUpVlNFuEVbhtfXio2N3XpDiYZPjNE1mqladh7iMB7gJX2HSivh5hqt4KkD3Bpl3zSClYqbS6GwxkQ46i5mXqJWl/vCNSFuWPg3qiw==,iv:QJnXrAHfJQJ7Gj4kTIh1RSAFfpBQCIkLIlgeYDsrHko=,tag:NzDm2lamC6YXVH9oBxet5A==,type:str]
+    keys: ENC[AES256_GCM,data:qrnNqEhStnsuCHjFgCC1fNUDLmIvHbXUzCFXK9PGudQtj5W6DJX6him1rkMNW5VltoFilHo4flRk6ebB+eWNq4eN4h/7/1a7IfoaIQDmpjl4/skbVpPA9wriEgFunY3dWyiH4Qu3MCBiDSIOKJrkD11o2FKnvudTSxavNkvccQI9Z5ALrHKc1t3I0NDt4sE4gfocAq1l6cfnRJ8CTs8ZcWtLTQ==,iv:4/CUrq/oq0qvEbGUS2udLiBLZeGuQZ/KiSueBCqAoV0=,tag:tPiRZW/0y1BqHdwR3KNuyQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1say65zc678yc03tx4zexp20c9gvskvwrm4390j4x2jkepn97duhq9ptuj9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBub2xqNVJHeHFNbzRsQzlJ
+            cFBZTnBTWVdRbGtKZzc3b2hOVEIxbFV5RENnCk9BSTdyRFI3eHBjZ202MFppVHVW
+            N1V1QllWcTVVSDZZTFRzcUVSL0R4VU0KLS0tIGJBQkdUaGZTM1p2NTQvSFNWa1R6
+            aHF5WEpjcUdBUWtaYk56RWZyRWZvdFkKDJg0l69Aa27SrWcAth4CbxdOACDLqE6t
+            crS49bDKqhZfsxE/6TNt279uBvPR8SsD0IE0hlBYJqGz6CxTmbMX8A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dm9xugju4q5gx0zty8ckw655ea904c64gv9qw9fn3lu507ck8uzsag59y8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkMTlpWDd4ckNKRWpNVXNq
+            a0FSdWhVWitCUEFDNjVNbDdHSWlWYkdxbHhRCkJKT3VrMDVhNEh5T09JYUR0UTYz
+            bE9DSW56UXRlN1QrSVZtMHhNQWVTekUKLS0tIEw0L3dnSnFGdnF3MTJpbmdaMVlS
+            QUlyNHBlNDV6eVJXc3VWNzJSaThIQUEKCdNxZCCNISWll5uaCcDQBA2ir7oLpHco
+            +7ypF6lcOalqjvzc5DTXTt/v6QVs0f7SCZmNJFBMpZm8M2B+7O1h7A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-18T13:40:36Z"
+    mac: ENC[AES256_GCM,data:gcobfyFJyKLfde3HlNXUsUdBakISwUCeWVCudn9/sMn6ABNYAlkvOa3PDnYERfp8G8q3QKouyqw43qpWPm+NLIRJs7Db7dR0w4DZOklWuElTumiGFLOSWHafuSNDrSEQS4QZNtaZ4CzobtIKsR9nZ9Admwyf2Jywew2bWxyXV/E=,iv:tEm62tvWmnsdIaRoQNcc6k6mOOG/6CzJv960SLdU0EA=,tag:vVmRjyNlZbxZDds+po93kQ==,type:str]
+    pgp:
+        - created_at: "2022-07-18T13:19:32Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DFV150TdUJTsSAQdANGcWrpkQLvVjB4XVycennMACAEher2mlKNsUFFGSKhIw
+            6UHOKEdnTaWaOWzq1OhgTSqgYaXoWu3dXmZ/LAN7skym1jAiWFJmuqsRiDDsyH0V
+            1GgBCQIQ2xEU2UgjyW6C9p6MUOniPypezbI+fd3jmJ3iIf/93a8M0+0vowWyKgGE
+            wdRzSlo4bCz9rm0BeS1Gxw8/5rkdmkHiGpwfk9jNUJ6pkQ/oRdtMCrpNAUoBdgge
+            S4DRtOSDgQcepA==
+            =qoxa
+            -----END PGP MESSAGE-----
+          fp: 8FCE86932583783E515B6FE55F2B001E20ED3763
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -1,25 +0,0 @@
-let
-  system1 =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG42LafAFOeh3oYz/cm6FXes0ss59/EOCXpGsYvhpI21";
-  system2 =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHjRjAddjbyoM32tQhCjj8OrnqNBsXj+5D379iryupK+";
-  system3 =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ4X7YXsEmMW3jP2dfU9l/KrF9jUZqN0sVXSvkag8VFH";
-  systems = [ system1 system2 system3 ];
-
-  user1 =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMclb6WPpYRoMVqCCzQcG2XQHczB6vaIEDIHqjVsyQJi";
-  user2 =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBhrzY7tD0ZiGoA6nnfVxRQVQox0votQ2fuHz78LjNUD";
-  user3 =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIytwsseYS6kV8ldiUV767C2Gy7okxckdDRW4aA3q/Ku";
-  user4 =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtn+t2D7clY1U1rzKcSCBJjNbuJzbRArEiM3soyFcnv";
-  users = [ user1 user2 user3 user4 ];
-in {
-  "archive/borg-patterns".publicKeys = users ++ systems;
-  "archive/borg-patterns-local".publicKeys = users ++ systems;
-  "archive/borg-ssh-key".publicKeys = systems;
-  "archive/password".publicKeys = users ++ systems;
-  "archive/key".publicKeys = users ++ systems;
-}
--- a/shell.nix
+++ b/shell.nix
@ -1,5 +1,5 @@
 { pkgs ? import <nixpkgs> { } }:

 pkgs.mkShell {
-  packages = with pkgs; [ asciidoctor git git-crypt nixfmt rnix-lsp ];
+  packages = with pkgs; [ asciidoctor age git nixpkgs-fmt rnix-lsp sops ];
 }
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1IdisweU/qW+Np36K1WoR+RsPSyG6JcLNp96m1rDWx foo-dogsquared@ni`
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFOZzSBe/YHUfpCKfKM7BC60i3t2K3euiw2P6VEfe7kI Borgbase backup`