From 4e08a53c335466ea51551b2c1c186b2d058dd417 Mon Sep 17 00:00:00 2001
From: alina sireneva <alina@tei.su>
Date: Wed, 1 May 2024 04:59:31 +0300
Subject: [PATCH] feat: improved secrets management, support for build-time
 "unsafe" secrets

---
 agenix-edit                         | 34 ++++++++++++++++++++++++++---
 hosts/teidesu-osx/configuration.nix |  3 ++-
 lib/secrets-unsafe.nix              | 20 +++++++++++++++++
 lib/secrets.nix                     |  1 +
 readme.md                           |  8 +++++--
 ssh/agenix-unsafe.pub               |  1 +
 6 files changed, 61 insertions(+), 6 deletions(-)
 create mode 100644 lib/secrets-unsafe.nix
 create mode 100644 ssh/agenix-unsafe.pub

diff --git a/agenix-edit b/agenix-edit
index 6b36296..2eb5b87 100755
--- a/agenix-edit
+++ b/agenix-edit
@@ -2,10 +2,23 @@
 
 set +euo pipefail
 
-name="$1"
+if [ "$1" == "--unsafe" ]; then
+    is_unsafe=true
+    shift
+else 
+    is_unsafe=false
+fi
 
+name="$1"
 script_dir=$(dirname "$(readlink -f "$0")")
-public_key=$(cat "$script_dir/ssh/agenix.pub")
+
+if [ "$is_unsafe" == "true" ]; then
+    name="$name.UNSAFE"
+    public_key=$(cat "$script_dir/ssh/agenix-unsafe.pub")
+else
+    public_key=$(cat "$script_dir/ssh/agenix.pub")
+fi
+
 fullname="$script_dir/secrets/$name.age"
 
 if [ -z "$name" ]; then
@@ -28,4 +41,19 @@ echo '{"eofnewline": false}' > "$micro_config_dir/settings.json"
 export MICRO_CONFIG_HOME="$micro_config_dir"
 export EDITOR=micro
 export RULES="$tempfile"
-agenix -e "$fullname" --identity /etc/ssh/agenix_key
\ No newline at end of file
+
+if [ "$(uname)" == "Darwin" ]; then
+  if [ "$is_unsafe" == "true" ]; then
+    private_path="/Users/Shared/agenix-key-unsafe"
+  else
+    private_path="$HOME/.ssh/agenix-key"
+  fi
+else 
+  if [ "$is_unsafe" == "true" ]; then
+    private_path="/etc/ssh/agenix-key-unsafe"
+  else
+    private_path="/etc/ssh/agenix-key"
+  fi
+fi
+
+agenix -e "$fullname" --identity "$private_path"
\ No newline at end of file
diff --git a/hosts/teidesu-osx/configuration.nix b/hosts/teidesu-osx/configuration.nix
index 260ae50..4950eb9 100644
--- a/hosts/teidesu-osx/configuration.nix
+++ b/hosts/teidesu-osx/configuration.nix
@@ -29,7 +29,8 @@
   services.nix-daemon.enable = true;
 
   age.identityPaths = [
-    "/Users/teidesu/.ssh/agenix_key"
+    "/Users/teidesu/.ssh/agenix-key"
+    "/Users/Shared/agenix-key-unsafe"
   ];
 
   security.pam.enableSudoTouchIdAuth = true;
diff --git a/lib/secrets-unsafe.nix b/lib/secrets-unsafe.nix
new file mode 100644
index 0000000..3367f23
--- /dev/null
+++ b/lib/secrets-unsafe.nix
@@ -0,0 +1,20 @@
+{ pkgs, config, ... }: 
+
+{
+  readUnsafe = name: let 
+    path = ../secrets + "/${name}.UNSAFE.age";
+    identityPath = builtins.elemAt (
+      builtins.filter (
+        x: (builtins.match ".*-unsafe$" x) != null
+      ) config.age.identityPaths
+    ) 0;
+    drv = builtins.derivation { 
+      system = pkgs.system;
+      name = name;
+      src = path;
+      builder = pkgs.writeShellScript "read-${name}.sh" ''
+        ${pkgs.age}/bin/age --decrypt --identity ${identityPath} $src > $out
+      '';
+    };
+  in builtins.readFile drv;
+}
\ No newline at end of file
diff --git a/lib/secrets.nix b/lib/secrets.nix
index a9449e6..acbb1cf 100644
--- a/lib/secrets.nix
+++ b/lib/secrets.nix
@@ -16,6 +16,7 @@
     );
   };
 
+
   file = config: name: config.age.secrets.${name}.path;
 
   mount = config: name:
diff --git a/readme.md b/readme.md
index 129c690..2e29dc0 100755
--- a/readme.md
+++ b/readme.md
@@ -6,12 +6,16 @@ ok hi this is my nixos config. it is pretty much a mess and the code sucks but w
 note to self on what needs to be installed on the host manually:
 
 ### common
-- `/etc/ssh/agenix_key` (darwin: `~/.ssh/agenix_key`) - private key for secret decryption
+- `/etc/ssh/agenix-key` (darwin: `~/.ssh/agenix-key`) - private key for secret decryption
+- `/etc/ssh/agenix-key-unsafe` (darwin: `/Users/Shared/agenix-key-unsafe`) - private key for unsafe secret decryption
+
+> "unsafe" secrets are only secret to the "outside" world (i.e. the git repo), but are decrypted at build-time
+> and are available globally to the system. this is useful for things like server ips, since i don't want to
+> expose them to everyone, but they are not really secret in the sense that they are not sensitive data.
 
 ### koi:
 - ~~`/etc/iso/win11.iso` - iso containing windows 11 installer (e.g. this: [magnet](magnet:?xt=urn:btih:56197d53136ffcecbae5225f0ac761121eacdac6&dn=Win11_22H2_English_x64v1.iso&tr=udp%3a%2f%2ftracker.torrent.eu.org%3a451%2fannounce&tr=udp%3a%2f%2ftracker.tiny-vps.com%3a6969%2fannounce&tr=udp%3a%2f%2fopen.stealth.si%3a80%2fannounce))~~ currently unused
 - `/etc/vms/haos.img` - qcow2 image for haos vm (can be downloaded from the official website, the KVM/Proxmox image).
-- `/etc/ssh/agenix_key` - private key for secret decryption
 - `/etc/secureboot/keys` - secure boot keys, generated with `sudo nix-shell -p sbctl --run "sbctl create-keys"`
 - to enroll fde onto tpm: `sudo systemd-cryptenroll /dev/nvme0n1p2 --tpm2-device=auto --tpm2-pcrs=0+2+7`
 
diff --git a/ssh/agenix-unsafe.pub b/ssh/agenix-unsafe.pub
new file mode 100644
index 0000000..678c9a4
--- /dev/null
+++ b/ssh/agenix-unsafe.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJiBH1s8uXUAW6bBG5cfg3w3yDQCsl5fiYfQy7Z7qLOY
\ No newline at end of file