feat: rekey with host ssh keys

no more error at boot concerning identities
mrnossiom · Jan 11, 2024 · 37dfa2f · 37dfa2f
1 parent 2925f10
commit 37dfa2f
Show file tree

Hide file tree

Showing 17 changed files with 71 additions and 58 deletions.
diff --git a/home-manager/modules/git.nix b/home-manager/modules/git.nix
@@ -68,7 +68,7 @@ with lib;
 
       hooks = {
         git-guardian = pkgs.writeShellScript "git-guardian" ''
-          export GITGUARDIAN_API_KEY="$(cat ${config.age.secrets.gitguardian-api-key.path})"
+          export GITGUARDIAN_API_KEY="$(cat ${config.age.secrets.api-gitguardian.path})"
           ${getExe' pkgs.ggshield "ggshield"} secret scan pre-commit "$@"
         '';
       };

diff --git a/home-manager/profiles/desktop.nix b/home-manager/profiles/desktop.nix
@@ -17,9 +17,8 @@ let
 in
 {
   imports = [
-    # Agenix secrets manager
     agenix.homeManagerModules.default
-    { home.packages = [ agenix.packages.${pkgs.system}.default ]; }
+    ../../secrets
 
     # Setup `comma`, which allow to easily run command that are not present on the system
     nix-index-database.hmModules.nix-index
@@ -28,8 +27,6 @@ in
     nix-colors.homeManagerModules.default
     { colorScheme = nix-colors.colorSchemes.onedark; }
 
-    ../../secrets
-
     ../modules/vm
     ../modules/git.nix
     ../modules/shell.nix

diff --git a/nixos/modules/agenix.nix b/nixos/modules/agenix.nix
@@ -8,6 +8,12 @@ let
 in
 {
   imports = [ agenix.nixosModules.default ../../secrets ];
-  config.age.identityPaths = [ "/home/${config.local.user.username}/.ssh/id_ed25519" ];
+
+  config = {
+    # By default, agenix uses host machine keys
+    # It is better than user ones since they are not always available at boot
+    # (e.g btrfs with luks doesn't load home partition right away)
+    # age.identityPaths = [ ];
+  };
 }
 
diff --git a/nixos/modules/backup.nix b/nixos/modules/backup.nix
@@ -7,7 +7,8 @@
 with lib;
 
 let
-  inherit (config.age.secrets) restic-backup-pass googledrive-rclone-config;
+  inherit (config.age) secrets;
+
   hostname = config.networking.hostName;
   mainUsername = config.local.user.username;
 in
@@ -17,8 +18,8 @@ in
     google-drive = {
       repository = "rclone:googledrive:/Backups/${hostname}";
       initialize = true;
-      passwordFile = restic-backup-pass.path;
-      rcloneConfigFile = googledrive-rclone-config.path;
+      passwordFile = secrets.backup-restic-key.path;
+      rcloneConfigFile = secrets.backup-rclone-googledrive.path;
 
       paths = [
         "/home/${mainUsername}/Documents"
@@ -62,7 +63,7 @@ in
     # Backup documents and large files
     archaic-bak = {
       initialize = true;
-      passwordFile = restic-backup-pass.path;
+      passwordFile = secrets.backup-restic-key.path;
       paths = [ "/home/${mainUsername}/Documents" ];
       # TODO
       repository = "/mnt/${mainUsername}/ArchaicBak/Backups/${hostname}";

diff --git a/secrets/api-digital-ocean.age b/secrets/api-digital-ocean.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 y5GeNA 33vafi0PmhCwUHKNue4r7RfsCGJmYwPgnlsUtRbwkXo
+LW50gb0s9pFX5FyLXGl7qST2id7rkMsh6M6tGfo10aY
+-> ssh-ed25519 eJgqzQ BsmbEMkCi/QPguOa50BtKrJLfX8cvI6gjKpArk5rX24
+l5Z+JoPZptpxcvhSjXQC+GnVkHgNXQhgtD7ucBFEJfE
+-> ssh-ed25519 SmMcWg wAx6TSL9hjxUw/G3cjaAMoRx1rmFh4pYO4JJMulmLHI
+NCbiUAHKW7MjdzOp1s32sSeSg/s3Siv9CGMkL6BlbCY
+--- AMfkQ1DvzGOVgsPWhRnZNFgRVqIfthrGhxdwhEIDc1o
+��K����mN���._��#�4l7��#B8L��{�V	�7���=��T`Ė�ԁ�ב�3^ͽd�M
+�"G�;n�H�1�r��}�(�<&d�gʲ�Mp?&J��
diff --git a/secrets/api-gitguardian.age b/secrets/api-gitguardian.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 y5GeNA HknIUMSgzCGUr8RnIVwmC91hqoZyxtnmCaZxFaCAlXg
+20IOXGaN5YoBW1q1Ks4V7/aJgMfGryzpl6EBqqgUhFQ
+-> ssh-ed25519 eJgqzQ EP5tkiPPqu1sGomh/IYOGmnBTmTN9BLAE4d2D+kPEUM
+vQN+xFZSDJF3z9kuokumQ/S3WO32Ee/LFVuEr40PI60
+-> ssh-ed25519 SmMcWg ZrMNiQ0tadTaVWEIxPHdQ0ZfFVZZCbngqudzrSlzJ2I
+sQdP6GxzTeOG9TCOqyJuk82GylBiX8zIQ0p/IUUjVes
+--- nLzwXeYGe5MLUOdvIDp+5y0Y6xqN3c5E0kz1Wb2dbtg
+I`$b~�S�l���P�yfVM���g�Eƻ}u6�87D�XA�z�D���2���Y�o[��]�e�����bL��A�"���2i�����b��c��!�����a

diff --git a/secrets/backup/rclone-googledrive.age b/secrets/backup/rclone-googledrive.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 y5GeNA df0ZphUMH6BCbV6Dl9B2dApBg2LLhA289i+OahjZ/nw
+Awi4XBhxNOWi0ZWYIN6aSCnHJPKyX3WjifY/XrQQMgI
+-> ssh-ed25519 eJgqzQ 1gVUja6CSYZ7s2LuukbuIe64MHNZDXNb9bqDpIzosns
+ATB5+hyeKTnsOJUljX1et8yVUhRQUNkZe8S++coCw1c
+-> ssh-ed25519 SmMcWg bLLDf0NausXQxUkhHyWSKRSYso/4VF0r2fMxeGpoBkg
+vPKMon6u8nlRzAEppJY/obzRWcW65bvJWXVmYekfB3g
+--- dAUWmWURzylzqIPbYRymCXFLPpMeRHtEMczmV1BT9ZU
+�w[����@=!	u
+�����AoZ���P�H>�sAh�CHP�*81�*UL�I-�O���$�r��lv��1z�ZEq���[	�tw,b��S�X<�v�H��2lY)w ӆ�P��e�C��`(*&���r��Og�GNQ\�U��,����c���̆ZB���HBCCϺ�3��f���=���>�%-	�{�K5$�R�%��󖒯	�@é���V�}���O����/�*&$3*�l����b�x��{4���#|�Z��F��9J�֛{P�S�7�!W�Vf�_}�>C�x�D��Z#�����d��W�$�����i
+�|Y�������JNOC��X��j�H�#\���Y�V2�t�N{ި�+�qn�b�fx�a.�
+Q��b�Ϲ�gK19.l�zK��`�8�m_���v2��7y$'T0��n̚��=�f�!�GY����#jǺC��M{�.z:��*8��q�3<c�R��P���!;�,'�+>����Ю�y�� �2�=f���U������fEX�׌��[xV�9p�;��k�B��(X�2����.�6�Iw'���k������Q,��A�oӴ#lqb2|��@KwP�)81�f���#Ts>����?m�ݝ�I�M�%aSjܸb�

diff --git a/secrets/backup/restic-key.age b/secrets/backup/restic-key.age
diff --git a/secrets/ca5e.pgp.age b/secrets/ca5e.pgp.age
diff --git a/secrets/default.nix b/secrets/default.nix
@@ -1,9 +1,12 @@
 { ... }: {
   age.secrets = {
-    ca5e-pgp.file = ./ca5e.pgp.age;
-    digital-ocean-api-key.file = ./digital-ocean.api.age;
-    gitguardian-api-key.file = ./gitguardian.api.age;
-    googledrive-rclone-config.file = ./googledrive.rclone.conf.age;
-    restic-backup-pass.file = ./restic-backup-pass.age;
+    pgp-ca5e.file = ./pgp-ca5e.age;
+    ssh-uxgi.file = ./ssh-uxgi.age;
+
+    api-digital-ocean.file = ./api-digital-ocean.age;
+    api-gitguardian.file = ./api-gitguardian.age;
+
+    backup-rclone-googledrive.file = ./backup/rclone-googledrive.age;
+    backup-restic-key.file = ./backup/restic-key.age;
   };
 }
diff --git a/secrets/digital-ocean.api.age b/secrets/digital-ocean.api.age
diff --git a/secrets/gitguardian.api.age b/secrets/gitguardian.api.age
diff --git a/secrets/googledrive.rclone.conf.age b/secrets/googledrive.rclone.conf.age
diff --git a/secrets/pgp-ca5e.age b/secrets/pgp-ca5e.age
diff --git a/secrets/restic-backup-pass.age b/secrets/restic-backup-pass.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -1,15 +1,24 @@
 let
-  archaic = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLLJ+6UiJYTD0HhWwTBom5fmZ4RaCXAUgcGaXgfdG8S";
+  # Machine SSH key (/etc/ssh/ssh_host_ed25519_key.pub)
+  archaic = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDuBHC0f7N0q1KRczJMoaBVdY0JFOtcpPy6WlYsoxUh";
+  neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINR1/9o1HLnSRkXt3xxAM5So1YCCNdJpBN1leSu7giuR";
+  systems = [ archaic neo ];
 
-  # Password protected keys 
-  neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdt7atyPTOfaBIsgDYYb0DG1yid2u78abaCDji6Uxgi";
+  # User keys 
+  milomoisson = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdt7atyPTOfaBIsgDYYb0DG1yid2u78abaCDji6Uxgi";
+  users = [ milomoisson ];
 
-  systems = [ archaic neo ];
+  all = systems ++ users;
 in
 {
-  "ca5e.pgp.age".publicKeys = systems;
-  "digital-ocean.api.age".publicKeys = systems;
-  "gitguardian.api.age".publicKeys = systems;
-  "googledrive.rclone.conf.age".publicKeys = systems;
-  "restic-backup-pass.age".publicKeys = systems;
+  "pgp-ca5e.age".publicKeys = all;
+  "ssh-uxgi.age".publicKeys = all;
+
+  # API Keys
+  "api-digital-ocean.age".publicKeys = all;
+  "api-gitguardian.age".publicKeys = all;
+
+  # Backup
+  "backup/rclone-googledrive.age".publicKeys = all;
+  "backup/restic-key.age".publicKeys = all;
 }
diff --git a/secrets/ssh-uxgi.age b/secrets/ssh-uxgi.age