diff options
author | ene <ene@sils.li> | 2023-02-18 22:07:50 +0100 |
---|---|---|
committer | ene <ene@sils.li> | 2023-02-18 22:07:50 +0100 |
commit | 950b02ea003d377ed7bbdb1ce6a8963fd4229068 (patch) | |
tree | 16e4249731109f8d5020b4fe5be3a677d88664df /flake.nix | |
parent | Feat(home-manager): Add local packages (diff) | |
download | nixos-config-950b02ea003d377ed7bbdb1ce6a8963fd4229068.zip |
Feat: Add encryption through agenix
There are other alternatives: * [This blog post about NixOs secret encryption](https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20) * Directly to agenix: * A [rewrite in rust](https://github.com/yaxitech/ragenix) * A dead (?) [rewrite in rust](https://github.com/cole-h/agenix-cli) * An implementation of Sops for nix: [Sops-nix](https://github.com/Mic92/sops-nix) * See the [NixOs wiki entry](https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes) for further options. Reasons for agenix: I mostly just ruled other options out, until this was the only real thing: * The blog post was created in a time, where tools like agenix where not available, and it (very simplified) just shows, how to implement a basic version of agenix * The rewrite are both in itself interesting, but lack community support, this is however subject to change, and thus a migration to a rewrite might be feasible in the future. * Sops seems like a really nice thing, with support for nearly all relevant encryption options, but the documentation for sops-nix seems rather lack-luster for me, so I decided to stay with agenix, especially because I should not need the extra encryption options. * And lastly most of the option on the wiki page need excessive manual intervention on every reboot (maybe because the were written with servers in mind), but I would like to be able to deploy once and then never have to think about secret management. So you see, I mostly just used what seemed to be the easiest for my situation right now, and agenix works rather well. If there weren't one big downside, I would really like it: Encrypting a file with age — which is what agenix uses under the hood — requires a key, which in the case of agenix is the public ssh key. Being asymmetric encryption, the decryption requires the private key, which is in my case stored in an ssh-agent, feed directly from KeepassXC. And this is where the problem lives, I want to be able to decrypt the secrets (obviously), and this only works if I copy the private key to a file, which, whilst being a manual process, completely breaks the point behind using an ssh-agent with KeepassXC integration in the first place. There are however open Issues on both the rage an agenix issue trackers, so the hope of fixing this is still there.
Diffstat (limited to 'flake.nix')
-rw-r--r-- | flake.nix | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/flake.nix b/flake.nix index 9c602019..58821993 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,17 @@ description = "Nixos system config"; inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + home-manager = { + url = "github:nix-community/home-manager/master"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + neovim_config = { url = "git+https://codeberg.org/ene/neovim-config.git"; flake = false; @@ -13,12 +24,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - home-manager = { - url = "github:nix-community/home-manager/master"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - user_js = { url = "github:arkenfox/user.js"; flake = false; @@ -37,6 +42,7 @@ strip_js_comments, user_js, impermanence, + agenix, ... } @ inputs: { nixosConfigurations.Tiamat = nixpkgs.lib.nixosSystem rec { @@ -44,6 +50,7 @@ specialArgs = inputs; modules = [ ./hosts/desktop/configuration.nix + agenix.nixosModules.default home-manager.nixosModules.home-manager { |