feat: improved secrets management, support for build-time "unsafe" secrets

agenix-edit

@@ -2,10 +2,23 @@
 
 set +euo pipefail
 
-name="$1"
+if [ "$1" == "--unsafe" ]; then
+    is_unsafe=true
+    shift
+else 
+    is_unsafe=false
+fi
 
+name="$1"
 script_dir=$(dirname "$(readlink -f "$0")")
+
+if [ "$is_unsafe" == "true" ]; then
+    name="$name.UNSAFE"
+    public_key=$(cat "$script_dir/ssh/agenix-unsafe.pub")
+else
     public_key=$(cat "$script_dir/ssh/agenix.pub")
+fi
+
 fullname="$script_dir/secrets/$name.age"
 
 if [ -z "$name" ]; then
@@ -28,4 +41,19 @@ echo '{"eofnewline": false}' > "$micro_config_dir/settings.json"
 export MICRO_CONFIG_HOME="$micro_config_dir"
 export EDITOR=micro
 export RULES="$tempfile"
-agenix -e "$fullname" --identity /etc/ssh/agenix_key
+
+if [ "$(uname)" == "Darwin" ]; then
+  if [ "$is_unsafe" == "true" ]; then
+    private_path="/Users/Shared/agenix-key-unsafe"
+  else
+    private_path="$HOME/.ssh/agenix-key"
+  fi
+else 
+  if [ "$is_unsafe" == "true" ]; then
+    private_path="/etc/ssh/agenix-key-unsafe"
+  else
+    private_path="/etc/ssh/agenix-key"
+  fi
+fi
+
+agenix -e "$fullname" --identity "$private_path"

hosts/teidesu-osx/configuration.nix

@@ -29,7 +29,8 @@
   services.nix-daemon.enable = true;
 
   age.identityPaths = [
-    "/Users/teidesu/.ssh/agenix_key"
+    "/Users/teidesu/.ssh/agenix-key"
+    "/Users/Shared/agenix-key-unsafe"
   ];
 
   security.pam.enableSudoTouchIdAuth = true;

lib/secrets-unsafe.nix

@@ -0,0 +1,20 @@
+{ pkgs, config, ... }: 
+
+{
+  readUnsafe = name: let 
+    path = ../secrets + "/${name}.UNSAFE.age";
+    identityPath = builtins.elemAt (
+      builtins.filter (
+        x: (builtins.match ".*-unsafe$" x) != null
+      ) config.age.identityPaths
+    ) 0;
+    drv = builtins.derivation { 
+      system = pkgs.system;
+      name = name;
+      src = path;
+      builder = pkgs.writeShellScript "read-${name}.sh" ''
+        ${pkgs.age}/bin/age --decrypt --identity ${identityPath} $src > $out
+      '';
+    };
+  in builtins.readFile drv;
+}

lib/secrets.nix

@@ -16,6 +16,7 @@
     );
   };
 
+
   file = config: name: config.age.secrets.${name}.path;
 
   mount = config: name:

readme.md

@@ -6,12 +6,16 @@ ok hi this is my nixos config. it is pretty much a mess and the code sucks but w
 note to self on what needs to be installed on the host manually:
 
 ### common
-- `/etc/ssh/agenix_key` (darwin: `~/.ssh/agenix_key`) - private key for secret decryption
+- `/etc/ssh/agenix-key` (darwin: `~/.ssh/agenix-key`) - private key for secret decryption
+- `/etc/ssh/agenix-key-unsafe` (darwin: `/Users/Shared/agenix-key-unsafe`) - private key for unsafe secret decryption
+
+> "unsafe" secrets are only secret to the "outside" world (i.e. the git repo), but are decrypted at build-time
+> and are available globally to the system. this is useful for things like server ips, since i don't want to
+> expose them to everyone, but they are not really secret in the sense that they are not sensitive data.
 
 ### koi:
 - ~~`/etc/iso/win11.iso` - iso containing windows 11 installer (e.g. this: [magnet](magnet:?xt=urn:btih:56197d53136ffcecbae5225f0ac761121eacdac6&dn=Win11_22H2_English_x64v1.iso&tr=udp%3a%2f%2ftracker.torrent.eu.org%3a451%2fannounce&tr=udp%3a%2f%2ftracker.tiny-vps.com%3a6969%2fannounce&tr=udp%3a%2f%2fopen.stealth.si%3a80%2fannounce))~~ currently unused
 - `/etc/vms/haos.img` - qcow2 image for haos vm (can be downloaded from the official website, the KVM/Proxmox image).
-- `/etc/ssh/agenix_key` - private key for secret decryption
 - `/etc/secureboot/keys` - secure boot keys, generated with `sudo nix-shell -p sbctl --run "sbctl create-keys"`
 - to enroll fde onto tpm: `sudo systemd-cryptenroll /dev/nvme0n1p2 --tpm2-device=auto --tpm2-pcrs=0+2+7`
 

ssh/agenix-unsafe.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJiBH1s8uXUAW6bBG5cfg3w3yDQCsl5fiYfQy7Z7qLOY