Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

home-manager: create a prototype module for user secret decryption #58

Closed
wants to merge 3 commits into from
Closed

home-manager: create a prototype module for user secret decryption #58

wants to merge 3 commits into from

Conversation

RaitoBezarius
Copy link

@RaitoBezarius RaitoBezarius commented Sep 12, 2021
edited

This is a prototype module for user decryption with home-manager.

Some stuff might not be absolutely in line with the quality standards of the project, e.g.

  • directories creation might be a bit broken ;
  • sshKeyPaths stuff should handled better (accept [] and let rage find out the proper key?)
  • reuse of passphrase is not implemented (are SSH agents working? it seems like not)
  • cleanup of rootSecret code? does root secrets still make sense in a user context?

cc #50

I can confirm this code provides me with HM-integration of agenix, as seen on https://github.com/RaitoBezarius/nixos-home

@ryantm
Copy link
Owner

ryantm commented Sep 13, 2021

reuse of passphrase is not implemented (are SSH agents working? it seems like not)

This is also a problem with the existing agenix bash script for managing secrets.

@RaitoBezarius
Copy link
Author

reuse of passphrase is not implemented (are SSH agents working? it seems like not)

This is also a problem with the existing agenix bash script for managing secrets.

Indeed, maybe, the solution could be shared and provide a flag to help reuse passwords if this is wanted at all.

@ambroisie
Copy link
Contributor

Is there any use-case for changing the owner of a file to someone other than $USER in a home-manager context?

At the very least, I do not see any point in separating the secrets according to which is root-owned or not. This is only relevant in the NixOS case where one needs users to actually exist on the system before trying to chown files to their ownership.

@RaitoBezarius
Copy link
Author

Is there any use-case for changing the owner of a file to someone other than $USER in a home-manager context?

Really, I don't know, but I know I do not have this usecase indeed.

At the very least, I do not see any point in separating the secrets according to which is root-owned or not. This is only relevant in the NixOS case where one needs users to actually exist on the system before trying to chown files to their ownership.

+1

@ambroisie
Copy link
Contributor

@ryantm @RaitoBezarius what is needed to merge this PR?

I assume we need to address:

  • rootSecret special handling: this is probably unnecessary.
  • owner/group handling in general: I don't think it is necessary for the kind of configuration that one does using home-manager. If it is deemed useful by some users it can be added back in.
  • sshKeyPaths automatic discovery: this is a feature that would be useful for both NixOS and home-manager, and would probably be more fit for another feature branch.
  • testing directory creation: in general, we should probably add a NixOS test to ensure that functionality is not broken.

@RaitoBezarius
Copy link
Author

RaitoBezarius commented Oct 10, 2021
edited

@ryantm @RaitoBezarius what is needed to merge this PR?

I assume we need to address:

  • rootSecret special handling: this is probably unnecessary.
  • owner/group handling in general: I don't think it is necessary for the kind of configuration that one does using home-manager. If it is deemed useful by some users it can be added back in.

I can do those in the next minutes easily. (EDIT: done.)

  • sshKeyPaths automatic discovery: this is a feature that would be useful for both NixOS and home-manager, and would probably be more fit for another feature branch.

I would prefer to let someone else do it, and I do not think this is a critical feature for this PR.

  • testing directory creation: in general, we should probably add a NixOS test to ensure that functionality is not broken.

Indeed.

What is left is:

  • ensure this work across reboots — once you reboot, there is no mechanism to restore the secrets AFAIK. (critical)
  • reuse of passphrases or passphrase caching, otherwise, rebuilding will become annoyingly painful. (important)

For now, I have moved to a system home-manager, so I disabled my version of this module, I will get back to it soon to rework it a bit, notably to address the last two points.

@ambroisie
Copy link
Contributor

reuse of passphrases or passphrase caching, otherwise, rebuilding will become annoyingly painful. (important)

This is also a problem for the NixOS module, I think it is out of scope for this PR

@RaitoBezarius
Copy link
Author

reuse of passphrases or passphrase caching, otherwise, rebuilding will become annoyingly painful. (important)

This is also a problem for the NixOS module, I think it is out of scope for this PR

Sure.

@Gerschtli
Copy link

Hey, quick question: What is the state of this PR? I'd love to see support for home-manager for agenix. :)

@RaitoBezarius
Copy link
Author

Hey, quick question: What is the state of this PR? I'd love to see support for home-manager for agenix. :)

That's a prototype which worked more or less fine for me, except the painful process where you retype all your passwords when you're iterating on your own configuration, quite quickly. So I'd be looking for something that's able to reuse passwords, for this, I'd look for the plugin API of (r)age to add some kernel keyring support and reuse it here.

@Pacman99 Pacman99 mentioned this pull request Jan 3, 2022
Closed
@gabysbrain gabysbrain mentioned this pull request Jan 4, 2022
Closed
montchr added a commit to montchr/dotfield that referenced this pull request Mar 15, 2022
@montchr
feat(secrets): add an agenix hm module
f8af3a3 
via ryantm/agenix#58
@ambroisie
Copy link
Contributor

Is it possible to get this merged, and improve it later @RaitoBezarius @ryantm? I feel like the password-reuse issue is cross-cutting (it's useful for re-keying secrets, etc...) but not quite solvable at the moment. However having this module merged avoids having to copy-paste it and keep up with potential updates in the future.

@ratsclub
Copy link

ratsclub commented Apr 13, 2022
edited

@ambroisie Ryan tagged it as a merge conflict so I assume that we are only a rebase away from this to get merged 😄

@ryantm
Copy link
Owner

ryantm commented Apr 13, 2022

@ratsclub 😄, probably not! I looked into the whole home-manager situation with @Kranzes kind of recently and it seems like some home-manager work needs to happen. One problem I remember is that home-manager doesn't run its activation scripts when a user logs in, so I'm pretty sure the way this PR defaults to decrypting the secrets to a temp directory (/run) isn't going to be very user friendly.

@Kranzes
Copy link

Kranzes commented Apr 13, 2022

From my testing it does run activation script on login, the issue is that /run/users/$UID does not yet get created by the time it needs to to decrypt the keys there.

@ambroisie
Copy link
Contributor

Can we just mkdir -p or use a systemd files directive for this issue?

@ryantm
Copy link
Owner

ryantm commented Apr 14, 2022
edited

From my testing it does run activation script on login

I use home-manager standalone (not incorporated as a NixOS module) and I added

{
  home.activation.test = lib.hm.dag.entryAfter ["writeBoundary"] ''
    $DRY_RUN_CMD touch ~/test-home-manager.txt
  '';
}

which created the file when I ran home-manager switch. Then I deleted that file and restarted my computer. When I logged back in the file was still gone.

@Kranzes
Copy link

Kranzes commented Apr 14, 2022
edited

Hmm so I guess it only works as a nixos module. Maybe there's a way to add that functionality to standalone home-manager. We will have to ask @rycee for that.

@ambroisie
Copy link
Contributor

Instead of using home.activation, we could define a systemd service which gets started when the user logs in (so wanted by default.target I think?).

It still wouldn't work on MacOS, but at least it would work on stand-alone home-manager on Linux.

@RaitoBezarius RaitoBezarius marked this pull request as draft April 16, 2022 14:07
@RaitoBezarius
Copy link
Author

FWIW, I put the PR into a draft as it has too much diverged from a WIP which could be used, feel free to close it / re-open a new one on the top of it (or if anyone wants commit bits, no problem) :).

To be honest, user secret decryption is useful for me only if we do solve the issue of multiple passphrases, as I have a lot of synchronized machines and typing 5+ passphrases is annoying to rebuild. So I will only revisit this once (r)age gets agent support which I'm looking in.

@ambroisie ambroisie mentioned this pull request Feb 21, 2023
Closed
@ambroisie ambroisie mentioned this pull request Apr 22, 2023
Merged
n8henrie pushed a commit to n8henrie/agenix that referenced this pull request May 5, 2023
@ambroisie @n8henrie
Add home-manager module
af5adeb 
This is to update and fix the issues I saw in [1] and [2].

Using a service definition instead of an activation script should
resolve the issue about the secrets disappearing after rebooting.

Removed the `user` and `group` option as they do not make sense to me
for a home-manager module, which should target a single user. They can
always be added back if somebody comes screaming.

This is somewhat modeled after sops-nix's own module [3].

[1]: ryantm#58
[2]: ryantm#109
[3]: https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
@ryantm ryantm closed this May 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
merge conflict
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@RaitoBezarius @ryantm @ambroisie @Gerschtli @ratsclub @Kranzes