From 950b02ea003d377ed7bbdb1ce6a8963fd4229068 Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 18 Feb 2023 22:07:50 +0100 Subject: Feat: Add encryption through agenix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are other alternatives: * [This blog post about NixOs secret encryption](https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20) * Directly to agenix: * A [rewrite in rust](https://github.com/yaxitech/ragenix) * A dead (?) [rewrite in rust](https://github.com/cole-h/agenix-cli) * An implementation of Sops for nix: [Sops-nix](https://github.com/Mic92/sops-nix) * See the [NixOs wiki entry](https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes) for further options. Reasons for agenix: I mostly just ruled other options out, until this was the only real thing: * The blog post was created in a time, where tools like agenix where not available, and it (very simplified) just shows, how to implement a basic version of agenix * The rewrite are both in itself interesting, but lack community support, this is however subject to change, and thus a migration to a rewrite might be feasible in the future. * Sops seems like a really nice thing, with support for nearly all relevant encryption options, but the documentation for sops-nix seems rather lack-luster for me, so I decided to stay with agenix, especially because I should not need the extra encryption options. * And lastly most of the option on the wiki page need excessive manual intervention on every reboot (maybe because the were written with servers in mind), but I would like to be able to deploy once and then never have to think about secret management. So you see, I mostly just used what seemed to be the easiest for my situation right now, and agenix works rather well. If there weren't one big downside, I would really like it: Encrypting a file with age — which is what agenix uses under the hood — requires a key, which in the case of agenix is the public ssh key. Being asymmetric encryption, the decryption requires the private key, which is in my case stored in an ssh-agent, feed directly from KeepassXC. And this is where the problem lives, I want to be able to decrypt the secrets (obviously), and this only works if I copy the private key to a file, which, whilst being a manual process, completely breaks the point behind using an ssh-agent with KeepassXC integration in the first place. There are however open Issues on both the rage an agenix issue trackers, so the hope of fixing this is still there. --- flake.lock | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) (limited to 'flake.lock') diff --git a/flake.lock b/flake.lock index 6da49c2f..dbe65c59 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676599101, + "narHash": "sha256-CKS6UsOGhoNxGDBt9wyFiWHvtng/+BMAJ4G8ahhe1DE=", + "owner": "ryantm", + "repo": "agenix", + "rev": "de657061b13cf329c57a1a9730a5049a971b40b3", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "crane": { "inputs": { "flake-compat": "flake-compat", @@ -24,6 +45,28 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -141,6 +184,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "home-manager": "home-manager", "impermanence": "impermanence", "neovim_config": "neovim_config", -- cgit 1.4.1