Feat: Add encryption through agenix

There are other alternatives: * [This blog post about NixOs secret encryption](https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20) * Directly to agenix: * A [rewrite in rust](https://github.com/yaxitech/ragenix) * A dead (?) [rewrite in rust](https://github.com/cole-h/agenix-cli) * An implementation of Sops for nix: [Sops-nix](https://github.com/Mic92/sops-nix) * See the [NixOs wiki entry](https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes) for further options. Reasons for agenix: I mostly just ruled other options out, until this was the only real thing: * The blog post was created in a time, where tools like agenix where not available, and it (very simplified) just shows, how to implement a basic version of agenix * The rewrite are both in itself interesting, but lack community support, this is however subject to change, and thus a migration to a rewrite might be feasible in the future. * Sops seems like a really nice thing, with support for nearly all relevant encryption options, but the documentation for sops-nix seems rather lack-luster for me, so I decided to stay with agenix, especially because I should not need the extra encryption options. * And lastly most of the option on the wiki page need excessive manual intervention on every reboot (maybe because the were written with servers in mind), but I would like to be able to deploy once and then never have to think about secret management. So you see, I mostly just used what seemed to be the easiest for my situation right now, and agenix works rather well. If there weren't one big downside, I would really like it: Encrypting a file with age — which is what agenix uses under the hood — requires a key, which in the case of agenix is the public ssh key. Being asymmetric encryption, the decryption requires the private key, which is in my case stored in an ssh-agent, feed directly from KeepassXC. And this is where the problem lives, I want to be able to decrypt the secrets (obviously), and this only works if I copy the private key to a file, which, whilst being a manual process, completely breaks the point behind using an ssh-agent with KeepassXC integration in the first place. There are however open Issues on both the rage an agenix issue trackers, so the hope of fixing this is still there.
author: ene <ene@sils.li> 2023-02-18 22:07:50 +0100
committer: ene <ene@sils.li> 2023-02-18 22:07:50 +0100
commit: 950b02ea003d377ed7bbdb1ce6a8963fd4229068 (patch)
tree: 16e4249731109f8d5020b4fe5be3a677d88664df
parent: Feat(home-manager): Add local packages (diff)
download: nixos-config-950b02ea003d377ed7bbdb1ce6a8963fd4229068.zip
4 files changed, 77 insertions, 6 deletions
diff --git a/flake.lock b/flake.lock
index 6da49c2f..dbe65c59 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1676599101,
+        "narHash": "sha256-CKS6UsOGhoNxGDBt9wyFiWHvtng/+BMAJ4G8ahhe1DE=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "de657061b13cf329c57a1a9730a5049a971b40b3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "crane": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -24,6 +45,28 @@
         "type": "github"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -141,6 +184,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "home-manager": "home-manager",
         "impermanence": "impermanence",
         "neovim_config": "neovim_config",
diff --git a/flake.nix b/flake.nix
index 9c602019..58821993 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,6 +3,17 @@
   description = "Nixos system config";
 
   inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    home-manager = {
+      url = "github:nix-community/home-manager/master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     neovim_config = {
       url = "git+https://codeberg.org/ene/neovim-config.git";
       flake = false;
@@ -13,12 +24,6 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    home-manager = {
-      url = "github:nix-community/home-manager/master";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
     user_js = {
       url = "github:arkenfox/user.js";
       flake = false;
@@ -37,6 +42,7 @@
     strip_js_comments,
     user_js,
     impermanence,
+    agenix,
     ...
   } @ inputs: {
     nixosConfigurations.Tiamat = nixpkgs.lib.nixosSystem rec {
@@ -44,6 +50,7 @@
       specialArgs = inputs;
       modules = [
         ./hosts/desktop/configuration.nix
+        agenix.nixosModules.default
 
         home-manager.nixosModules.home-manager
         {
diff --git a/secrets/nheko b/secrets/nheko
new file mode 100644
index 00000000..bda46cb6
--- /dev/null
+++ b/secrets/nheko
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 iv0Cfg evi+poJEQEwkKUjKS1H79C2M9j4a1QtKVFShPdlQOB0
+FKSfqUvF2wG3otJ2rY38htOfsY9NQkjXu9LOiSklGZo
+-> ssh-ed25519 KLPP8w Sy4Dp+SKownQjB2o7xBZD1fkPcrFksBJUdrf+KYmlDQ
+r9IUP1vP0exnJMD/y/zeuQXmQBZ8LbJEltk8nL+jQRY
+-> }P,R5-grease T|\P8?C Ut7<F@3.
+B1oKq9WyQYHAVZC0DNM1w99po0jWheKx693EZsafU46YRf31ZBM/QZVuSHYq3AvZ
+TTOm2nd5MU5fxEPtzXRfA1MhvjLKO+TVooovpLIDbe7OTDbuP0OGNLLimr4EOCWv
+Zg
+--- gVsq7F0ECC4XLRUKFUzxv6Dr8nk25A9Ww1pUXSh9CUQ
+絪�X�	��M�0m'C�2³�?��{m�� �[3��:��F�x���t����	c}�)�|�%M�=�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 00000000..7540e74b
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,9 @@
+# vim: ts=2
+let
+  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL8QLS9IonN8Rhp1yZGDBWc0UoTLH6yQuXWKctorDZNy";
+
+  # TODO add the ssh-key of the targeted host
+  system1 = "";
+in {
+  "nheko".publicKeys = [user1 system1];
+}
author	ene <ene@sils.li>	2023-02-18 22:07:50 +0100
committer	ene <ene@sils.li>	2023-02-18 22:07:50 +0100
commit	950b02ea003d377ed7bbdb1ce6a8963fd4229068 (patch)
tree	16e4249731109f8d5020b4fe5be3a677d88664df
parent	Feat(home-manager): Add local packages (diff)
download	nixos-config-950b02ea003d377ed7bbdb1ce6a8963fd4229068.zip