From d0bd09896a07c8c45ff27d0f5d983399f2025781 Mon Sep 17 00:00:00 2001 From: clerie Date: Fri, 10 May 2024 16:23:41 +0200 Subject: [PATCH] secrets.nix: Remove age secrets management --- configuration/common/programs.nix | 1 - flake.lock | 44 ------------ flake.nix | 10 +-- lib/flake-helper.nix | 13 +--- modules/backup/default.nix | 12 ++-- modules/monitoring/default.nix | 3 +- modules/wg-clerie/default.nix | 3 +- modules/wireguard-initrd/default.nix | 2 +- pkgs/nixfiles/nixfiles-add-secret.nix | 11 --- pkgs/nixfiles/nixfiles-add-secret.sh | 15 ----- pkgs/overlay.nix | 2 - secrets.nix | 96 --------------------------- 12 files changed, 9 insertions(+), 203 deletions(-) delete mode 100644 pkgs/nixfiles/nixfiles-add-secret.nix delete mode 100755 pkgs/nixfiles/nixfiles-add-secret.sh delete mode 100644 secrets.nix diff --git a/configuration/common/programs.nix b/configuration/common/programs.nix index f68ac3c..61e70be 100644 --- a/configuration/common/programs.nix +++ b/configuration/common/programs.nix @@ -14,7 +14,6 @@ # Deployment bij colmena - agenix clerie-sops clerie-sops-edit sops diff --git a/flake.lock b/flake.lock index 2e2f32e..226df0c 100644 --- a/flake.lock +++ b/flake.lock @@ -1,26 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1682101079, - "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=", - "owner": "ryantm", - "repo": "agenix", - "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "bij": { "inputs": { "nixpkgs": [ @@ -59,28 +38,6 @@ "url": "https://git.clerie.de/clerie/chaosevents.git" } }, - "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1673295039, - "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "fernglas": { "inputs": { "flake-utils": "flake-utils", @@ -299,7 +256,6 @@ }, "root": { "inputs": { - "agenix": "agenix", "bij": "bij", "chaosevents": "chaosevents", "fernglas": "fernglas", diff --git a/flake.nix b/flake.nix index 08b3f9b..06f22f9 100644 --- a/flake.nix +++ b/flake.nix @@ -3,10 +3,6 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-krypton.url = "github:NixOS/nixpkgs/nixos-unstable"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; - agenix = { - url = "github:ryantm/agenix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; bij = { url = "git+https://git.clerie.de/clerie/bij.git"; inputs.nixpkgs.follows = "nixpkgs"; @@ -37,7 +33,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = { self, agenix, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let + outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let lib = import ./lib inputs; helper = lib.flake-helper; in { @@ -115,8 +111,6 @@ overlays = [ self.overlays.clerie (_: _: { - inherit (agenix.packages.${system}) - agenix; inherit (chaosevents.packages.${system}) chaosevents; inherit (ssh-to-age.packages.${system}) @@ -136,9 +130,7 @@ chromium-incognito iot-data nix-remove-result-links - nixfiles-add-secret nixfiles-auto-install - nixfiles-generate-backup-secrets nixfiles-generate-config nixfiles-update-ssh-host-keys print-afra diff --git a/lib/flake-helper.nix b/lib/flake-helper.nix index e852414..1778c7b 100644 --- a/lib/flake-helper.nix +++ b/lib/flake-helper.nix @@ -1,4 +1,4 @@ -{ self, nixpkgs, agenix, bij, chaosevents, fernglas, fieldpoc, nixos-exporter, solid-xmpp-alarm, sops-nix, ... }@inputs: +{ self, nixpkgs, bij, chaosevents, fernglas, fieldpoc, nixos-exporter, solid-xmpp-alarm, sops-nix, ... }@inputs: rec { generateNixosSystem = { @@ -28,8 +28,6 @@ rec { nixpkgs.overlays = [ self.overlays.clerie (_: _: { - inherit (agenix.packages."x86_64-linux") - agenix; inherit (bij.packages."${system}") bij; inherit (chaosevents.packages."x86_64-linux") @@ -38,21 +36,12 @@ rec { ]; clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; }; }) - agenix.nixosModules.default fernglas.nixosModules.default fieldpoc.nixosModules.default nixos-exporter.nixosModules.default solid-xmpp-alarm.nixosModules.solid-xmpp-alarm sops-nix.nixosModules.sops (../hosts + "/${name}/configuration.nix") - # Automatically load secrets from the hosts secrets directory - ({ lib, ... }: let - secretsPath = ../hosts + "/${name}/secrets"; - in { - age.secrets = lib.mapAttrs' (filename: _: lib.nameValuePair (lib.removeSuffix ".age" filename) { - file = secretsPath + "/${filename}"; - }) (lib.filterAttrs (name: type: (type == "regular") && (lib.hasSuffix ".age" name) ) (if builtins.pathExists secretsPath then builtins.readDir secretsPath else {})); - }) # Automatically load secrets from sops file for host ({ config, lib, ... }: { sops.defaultSopsFile = ../hosts + "/${name}/secrets.json"; diff --git a/modules/backup/default.nix b/modules/backup/default.nix index 6db5467..e63198a 100644 --- a/modules/backup/default.nix +++ b/modules/backup/default.nix @@ -23,12 +23,10 @@ let backupServiceUnits = listToAttrs (map ({jobName, jobOptions, targetName, targetOptions}: let jobPasswordFile = if jobOptions.passwordFile != null then jobOptions.passwordFile else - if builtins.elem "clerie-backup-job-${jobName}" (attrNames config.sops.secrets) then config.sops.secrets."clerie-backup-job-${jobName}".path else - config.age.secrets."clerie-backup-job-${jobName}".path; + config.sops.secrets."clerie-backup-job-${jobName}".path; repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath; targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else - if builtins.elem "clerie-backup-target-${targetName}" (attrNames config.sops.secrets) then config.sops.secrets."clerie-backup-target-${targetName}".path else - config.age.secrets."clerie-backup-target-${targetName}".path; + config.sops.secrets."clerie-backup-target-${targetName}".path; targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username; in nameValuePair "clerie-backup-${jobName}-${targetName}" { @@ -73,12 +71,10 @@ let backupCommands = map ({jobName, jobOptions, targetName, targetOptions}: let jobPasswordFile = if jobOptions.passwordFile != null then jobOptions.passwordFile else - if builtins.elem "clerie-backup-job-${jobName}" (attrNames config.sops.secrets) then config.sops.secrets."clerie-backup-job-${jobName}".path else - config.age.secrets."clerie-backup-job-${jobName}".path; + config.sops.secrets."clerie-backup-job-${jobName}".path; repoPath = if jobOptions.repoPath == null then "/${config.networking.hostName}/${jobName}" else jobOptions.repoPath; targetPasswordFile = if targetOptions.passwordFile != null then targetOptions.passwordFile else - if builtins.elem "clerie-backup-target-${targetName}" (attrNames config.sops.secrets) then config.sops.secrets."clerie-backup-target-${targetName}".path else - config.age.secrets."clerie-backup-target-${targetName}".path; + config.sops.secrets."clerie-backup-target-${targetName}".path; targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username; in pkgs.writeShellApplication { name = "clerie-backup-${jobName}-${targetName}"; diff --git a/modules/monitoring/default.nix b/modules/monitoring/default.nix index 831560f..e543a5a 100644 --- a/modules/monitoring/default.nix +++ b/modules/monitoring/default.nix @@ -55,8 +55,7 @@ in } ]; privateKeyFile = if cfg.privateKeyFile != null then cfg.privateKeyFile else - if builtins.elem "wg-monitoring" (attrNames config.sops.secrets) then config.sops.secrets.wg-monitoring.path else - config.age.secrets.wg-monitoring.path; + config.sops.secrets.wg-monitoring.path; }; }; diff --git a/modules/wg-clerie/default.nix b/modules/wg-clerie/default.nix index aa690ad..234bddc 100644 --- a/modules/wg-clerie/default.nix +++ b/modules/wg-clerie/default.nix @@ -66,8 +66,7 @@ in networking.wireguard.interfaces = { wg-clerie = { privateKeyFile = if cfg.privateKeyFile != null then cfg.privateKeyFile else - if builtins.elem "wg-clerie" (attrNames config.sops.secrets) then config.sops.secrets.wg-clerie.path else - config.age.secrets.wg-clerie.path; + config.sops.secrets.wg-clerie.path; ips = cfg.ipv6s ++ cfg.ipv4s; table = "wg-clerie"; peers = [ diff --git a/modules/wireguard-initrd/default.nix b/modules/wireguard-initrd/default.nix index 628b640..24acd5a 100644 --- a/modules/wireguard-initrd/default.nix +++ b/modules/wireguard-initrd/default.nix @@ -98,7 +98,7 @@ in ''; boot.initrd.secrets = { - "/var/src/secrets/wireguard/wg-initrd" = if cfg.privateKeyFile == null then config.age.secrets.wg-clerie.path else cfg.privateKeyFile; + "/var/src/secrets/wireguard/wg-initrd" = cfg.privateKeyFile; }; }; } diff --git a/pkgs/nixfiles/nixfiles-add-secret.nix b/pkgs/nixfiles/nixfiles-add-secret.nix deleted file mode 100644 index 05cc0e5..0000000 --- a/pkgs/nixfiles/nixfiles-add-secret.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ pkgs, ... }: - -pkgs.writeShellApplication { - name = "nixfiles-add-secret"; - text = builtins.readFile ./nixfiles-add-secret.sh; - runtimeInputs = with pkgs; [ - agenix - git - ]; -} - diff --git a/pkgs/nixfiles/nixfiles-add-secret.sh b/pkgs/nixfiles/nixfiles-add-secret.sh deleted file mode 100755 index e6345e0..0000000 --- a/pkgs/nixfiles/nixfiles-add-secret.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -cd "$(git rev-parse --show-toplevel)" - -host="$1" -secret="$2" - -mkdir -p "hosts/${host}/secrets" - -agenix -e "hosts/${host}/secrets/new" - -mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/${secret}.age" - diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index d0e44da..4f53201 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -9,9 +9,7 @@ final: prev: { chromium-incognito = final.callPackage ./chromium-incognito {}; iot-data = final.python3.pkgs.callPackage ./iot-data {}; nix-remove-result-links = final.callPackage ./nix-remove-result-links {}; - nixfiles-add-secret = final.callPackage ./nixfiles/nixfiles-add-secret.nix {}; nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {}; - nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {}; nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {}; nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {}; print-afra = final.callPackage ./print-afra {}; diff --git a/secrets.nix b/secrets.nix deleted file mode 100644 index a504883..0000000 --- a/secrets.nix +++ /dev/null @@ -1,96 +0,0 @@ -/* - Because I'm way too lazy I'm automatically generating the secret files config. - Secrets can be found below - hosts/${hostname}/secrets/*.age - - Pubkeys can be found for the specific host below - hosts/${hostname}/ssh.pub - The users have their keys below - users/${username}/ssh.pub - - Secrets get encrypted for the host they are in and the users specified. - - Every host with a secrets directory has an entry for a secret called "new". - This exist to overcome the chicken and egg problem. - Create a secret with them name new in the specific secrets directory and rename it afterwards with the suffix .age. -*/ - -let - /* - Returns an attrset for a given directory, - having the name of a subdirectory as its attribute names - and the contents of the containing ssh.pub file as their value - - { - clerie = "ssh-ed25519 AAAA..."; - } - */ - pubkeysFor = directory: let - instances = builtins.attrNames (builtins.readDir directory); - instancesWithPubkey = builtins.filter (i: builtins.pathExists (directory + "/${i}/ssh.pub")) instances; - in - builtins.listToAttrs (map (i: { name = i; value = builtins.readFile (directory + "/${i}/ssh.pub"); }) instancesWithPubkey); - - users = pubkeysFor ./users; - hosts = pubkeysFor ./hosts; - - /* - Returns secret configuration for a given hostname - */ - secretsForHost = hostname: let - /* - Returns a list of all file names in the secrets directory of the specified host - */ - secretsFiles = builtins.attrNames (builtins.readDir (./hosts + "/${hostname}/secrets")); - - /* - Returns all file names that end with .age - */ - listOfSecrets = builtins.filter (i: - # Make sure the file name is longer than the file extension - (builtins.stringLength i) > 4 - # Take the last four letters of the file name and check if it is .age - && builtins.substring ((builtins.stringLength i) - 4) (builtins.stringLength i) i == ".age" - ) secretsFiles; - - in - if - # Make sure the host has a secrets directory - builtins.pathExists (./hosts + "/${hostname}/secrets") - # Make sure the host has a public ssh key provided - && builtins.pathExists (./hosts + "/${hostname}/ssh.pub") - then - /* - This map specifies all public keys for which a given secret file should be encrypted - It returns a list of name value pairs - The name is the path to the secret file - The value is an attribute set containing a list of public keys as a string - */ - map - (secret: { - name = "hosts/${hostname}/secrets/${secret}"; - value = { - publicKeys = [ - # Hardcode clerie's public key here - (builtins.readFile (./users + "/clerie/ssh.pub")) - # No other user should have access to any secrets - - # A host should only have access to their own secrets - hosts."${hostname}" - ]; - }; - }) - # All file names of already existing secrets plus the magic "new" secret - (listOfSecrets ++ [ "new" ]) - else - # Answer with an empty list, if no secrets are provided for a host - []; -in - # We just have a list of name value pairs that need to get transformed into an attribute set - builtins.listToAttrs ( - builtins.concatMap - # Provide a list of secrets for a given hostname - (hostname: secretsForHost hostname) - # Names of all hosts - (builtins.attrNames (builtins.readDir ./hosts)) - )