From 09b043c26c48b726545964637605619b9c930218 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Mon, 1 May 2023 11:37:33 +0200
Subject: [PATCH] Introduce agenix secrets management

---
 flake.lock                                    | 44 +++++++++++++++++++
 flake.nix                                     |  4 ++
 hosts/clerie-backup/configuration.nix         |  2 +
 hosts/clerie-backup/restic-server.nix         |  9 ++++
 hosts/clerie-backup/secrets/default.nix       |  5 +++
 .../secrets/restic-server-cyan-htpasswd.age   | 10 +++++
 lib/flake-helper.nix                          |  3 +-
 secrets.nix                                   | 10 +++++
 8 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 hosts/clerie-backup/secrets/default.nix
 create mode 100644 hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age
 create mode 100644 secrets.nix

diff --git a/flake.lock b/flake.lock
index 8b454a9..da1eb76 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,48 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1682101079,
+        "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "nixos-exporter": {
       "inputs": {
         "nixpkgs": [
@@ -54,6 +97,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "nixos-exporter": "nixos-exporter",
         "nixpkgs": "nixpkgs",
         "nixpkgs-schule": "nixpkgs-schule",
diff --git a/flake.nix b/flake.nix
index 606af6a..ebc4908 100644
--- a/flake.nix
+++ b/flake.nix
@@ -2,6 +2,10 @@
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     nixpkgs-schule.url = "github:NixOS/nixpkgs/nixos-unstable";
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     nixos-exporter = {
       url = "git+https://git.clerie.de/clerie/nixos-exporter.git";
       inputs.nixpkgs.follows = "nixpkgs";
diff --git a/hosts/clerie-backup/configuration.nix b/hosts/clerie-backup/configuration.nix
index 98b767c..7616663 100644
--- a/hosts/clerie-backup/configuration.nix
+++ b/hosts/clerie-backup/configuration.nix
@@ -6,6 +6,8 @@
       ./hardware-configuration.nix
       ../../configuration/proxmox-vm
 
+      ./secrets
+
       ./restic-server.nix
     ];
 
diff --git a/hosts/clerie-backup/restic-server.nix b/hosts/clerie-backup/restic-server.nix
index f18aa4e..8dcc651 100644
--- a/hosts/clerie-backup/restic-server.nix
+++ b/hosts/clerie-backup/restic-server.nix
@@ -8,6 +8,15 @@
     listenAddress = "[::1]:43242";
   };
 
+  # restic rest server does not support --htpasswd-file in the current version of nixpkgs
+  # until then we copy the secrets to the common location
+  age.secrets.restic-server-cyan-htpasswd = {
+    path = "/mnt/clerie-backup/cyan/.htpasswd";
+    symlink = false;
+    owner = "restic";
+    group = "restic";
+  };
+
   services.nginx.virtualHosts."cyan.backup.clerie.de" = {
     enableACME = true;
     forceSSL = true;
diff --git a/hosts/clerie-backup/secrets/default.nix b/hosts/clerie-backup/secrets/default.nix
new file mode 100644
index 0000000..b3f7ab5
--- /dev/null
+++ b/hosts/clerie-backup/secrets/default.nix
@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  age.secrets.restic-server-cyan-htpasswd.file = ./restic-server-cyan-htpasswd.age;
+}
diff --git a/hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age b/hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age
new file mode 100644
index 0000000..64db649
--- /dev/null
+++ b/hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 HwR33w zPP2GxmlabgLkMMW9DqpdAiMUXTPTwZ8Y1aHAKoOUU4
+oqGSUZMztWoercL/DD/Qagn8VE4U8KPzPrjmLXHGb5I
+-> ssh-ed25519 ILP4Ew cLYC1UCOo1XSvnViQZfXKUClDkO9SZZZsHR2yxGm2Dc
+1cyw/j8XQk/ztE6fEtZtjQ8cX4mkF5FrAWgZfyENV4c
+-> P-grease uB// Mn0<WD U%HyAy#v
+X5sX6sC2qXAKtRCcLA0TMmpSoVCoCYlcz+efVNPfala+Yh+z3kXjZIoVohtBc8Bi
+Jy8fizfJEv6u7bPhdoytSEoQtMiTMw
+--- /ymN2GqfIuI/2cqu7PFU0oO6RYfp3ZX1b9AX/YA2xJs
+‹fhù7ØèÚf`Ÿý:È—UJ¨JXZ©ÌÙ(‰å§êº¯AÅ_˜aÂkiS‹ÈïgKŽesO¼í)¬§6ncQFH¸ r•åPš<29‘ÿÉ{ƒ:ñ9l&»mß°!ÕAæV¬ì¦i
\ No newline at end of file
diff --git a/lib/flake-helper.nix b/lib/flake-helper.nix
index ae08c4c..d96c15d 100644
--- a/lib/flake-helper.nix
+++ b/lib/flake-helper.nix
@@ -1,4 +1,4 @@
-{ self, nixpkgs, nixos-exporter, solid-xmpp-alarm, ... }@inputs:
+{ self, nixpkgs, agenix, nixos-exporter, solid-xmpp-alarm, ... }@inputs:
 
 rec {
   generateNixosSystem = {
@@ -28,6 +28,7 @@ rec {
         ];
         clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; };
       })
+      agenix.nixosModules.default
       solid-xmpp-alarm.nixosModules.solid-xmpp-alarm
       (../hosts + "/${name}/configuration.nix")
     ];
diff --git a/secrets.nix b/secrets.nix
new file mode 100644
index 0000000..4f98257
--- /dev/null
+++ b/secrets.nix
@@ -0,0 +1,10 @@
+let
+  users = {
+    clerie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzEQEWeunhkzP+invKjdsZe4rbUloixa374bYEhBSA5 clerie_id";
+  };
+  hosts = {
+    clerie-backup = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsTlqDyK726hwhX8lbs9EhMrkf3LsKIm5Ya3k39C7VZ";
+  };
+in {
+  "hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age".publicKeys = [ users.clerie hosts.clerie-backup ];
+}