about summary refs log tree commit diff stats
path: root/secrets/secrets.nix
diff options
context:
space:
mode:
authorene <ene@sils.li>2023-02-18 22:07:50 +0100
committerene <ene@sils.li>2023-02-18 22:07:50 +0100
commit950b02ea003d377ed7bbdb1ce6a8963fd4229068 (patch)
tree16e4249731109f8d5020b4fe5be3a677d88664df /secrets/secrets.nix
parentFeat(home-manager): Add local packages (diff)
downloadnixos-config-950b02ea003d377ed7bbdb1ce6a8963fd4229068.zip
Feat: Add encryption through agenix
There are other alternatives:
    * [This blog post about NixOs secret encryption](https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20)
    * Directly to agenix:
        * A [rewrite in rust](https://github.com/yaxitech/ragenix)
        * A dead (?) [rewrite in rust](https://github.com/cole-h/agenix-cli)
    * An implementation of Sops for nix: [Sops-nix](https://github.com/Mic92/sops-nix)
    * See the [NixOs wiki entry](https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes) for further options.

Reasons for agenix:
I mostly just ruled other options out, until this was the only real
thing:
    * The blog post was created in a time, where tools like agenix where
      not available, and it (very simplified) just shows, how to
      implement a basic version of agenix
    * The rewrite are both in itself interesting, but lack community
      support, this is however subject to change, and thus a migration
      to a rewrite might be feasible in the future.
    * Sops seems like a really nice thing, with support for nearly all
      relevant encryption options, but the documentation for sops-nix
      seems rather lack-luster for me, so I decided to stay with agenix,
      especially because I should not need the extra encryption
      options.
    * And lastly most of the option on the wiki page need excessive
      manual intervention on every reboot (maybe because the were written
      with servers in mind), but I would like to be able to deploy once
      and then never have to think about secret management.

So you see, I mostly just used what seemed to be the easiest for my
situation right now, and agenix works rather well. If there weren't one
big downside, I would really like it: Encrypting a file with age — which
is what agenix uses under the hood — requires a key, which in the case
of agenix is the public ssh key. Being asymmetric encryption, the
decryption requires the private key, which is in my case stored in an
ssh-agent, feed directly from KeepassXC. And this is where the problem
lives, I want to be able to decrypt the secrets (obviously), and this
only works if I copy the private key to a file, which, whilst being a
manual process, completely breaks the point behind using an ssh-agent
with KeepassXC integration in the first place.
        There are however open Issues on both the rage an agenix issue
trackers, so the hope of fixing this is still there.
Diffstat (limited to 'secrets/secrets.nix')
-rw-r--r--secrets/secrets.nix9
1 files changed, 9 insertions, 0 deletions
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 00000000..7540e74b
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,9 @@
+# vim: ts=2
+let
+  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL8QLS9IonN8Rhp1yZGDBWc0UoTLH6yQuXWKctorDZNy";
+
+  # TODO add the ssh-key of the targeted host
+  system1 = "";
+in {
+  "nheko".publicKeys = [user1 system1];
+}