teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: better unsafe secret handling

Browse source 
turned out my previous scheme didn't work properly under linux xd
This commit is contained in:
alina 🌸 2024-05-12 12:43:51 +03:00
parent 9c15fce069
commit 5ba68e987d
Signed by: teidesu
SSH key fingerprint: SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
5 changed files with 18 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1,3 +1,4 @@
result result
.DS_Store .DS_Store
/test.nix /test.nix
/secrets/unsafe.key

10
agenix-edit
View file

@ -42,15 +42,11 @@ export MICRO_CONFIG_HOME="$micro_config_dir"
export EDITOR=micro export EDITOR=micro
export RULES="$tempfile" export RULES="$tempfile"
if [ "$is_unsafe" == "true" ]; then
private_path="$script_dir/secrets/unsafe.key"
else
if [ "$(uname)" == "Darwin" ]; then if [ "$(uname)" == "Darwin" ]; then
if [ "$is_unsafe" == "true" ]; then
private_path="/Users/Shared/agenix-key-unsafe"
else
private_path="$HOME/.ssh/agenix-key" private_path="$HOME/.ssh/agenix-key"
fi
else
if [ "$is_unsafe" == "true" ]; then
private_path="/etc/ssh/agenix-key-unsafe"
else else
private_path="/etc/ssh/agenix-key" private_path="/etc/ssh/agenix-key"
fi fi

4
lib/secrets-unsafe.nix
View file

@ -2,14 +2,12 @@
age, age,
writeShellScript, writeShellScript,
system, system,
stdenv,
... ...
}: }:
{ {
readUnsafe = name: let readUnsafe = name: let
isDarwin = stdenv.isDarwin; identityPath = ../secrets/unsafe.key;
identityPath = if isDarwin then "/Users/Shared/agenix-key-unsafe" else "/etc/ssh/agenix-key-unsafe";
path = ../secrets + "/UNSAFE.${name}.age"; path = ../secrets + "/UNSAFE.${name}.age";
drv = builtins.derivation { drv = builtins.derivation {

2
readme.md
View file

@ -7,7 +7,7 @@ note to self on what needs to be installed on the host manually:
### common ### common
- `/etc/ssh/agenix-key` (darwin: `~/.ssh/agenix-key`) - private key for secret decryption - `/etc/ssh/agenix-key` (darwin: `~/.ssh/agenix-key`) - private key for secret decryption
- `/etc/ssh/agenix-key-unsafe` (darwin: `/Users/Shared/agenix-key-unsafe`) - private key for unsafe secret decryption - `./secrets/unsafe.key` - private key for unsafe secret decryption
> "unsafe" secrets are only secret to the "outside" world (i.e. the git repo), but are decrypted at build-time > "unsafe" secrets are only secret to the "outside" world (i.e. the git repo), but are decrypted at build-time
> and are available globally to the system. this is useful for things like server ips, since i don't want to > and are available globally to the system. this is useful for things like server ips, since i don't want to

13
switch
View file

@ -28,13 +28,18 @@ if [ ! -z ${NIX_HOSTNAME+x} ]; then
flake=".#$NIX_HOSTNAME" flake=".#$NIX_HOSTNAME"
fi fi
function on_exit {
git restore --staged secrets/unsafe.key
if [ $(hostname) == "teidesu-osx" ]; then
git restore --staged hosts/teidesu-osx/arc-setup.nix
fi
}
trap on_exit EXIT
git add -f secrets/unsafe.key
if [ "$(uname)" == "Darwin" ]; then if [ "$(uname)" == "Darwin" ]; then
if [ $(hostname) == "teidesu-osx" ]; then if [ $(hostname) == "teidesu-osx" ]; then
git add -f hosts/teidesu-osx/arc-setup.nix git add -f hosts/teidesu-osx/arc-setup.nix
function restore {
git restore --staged hosts/teidesu-osx/arc-setup.nix
}
trap restore EXIT
fi fi
if command -v darwin-rebuild &> /dev/null; then if command -v darwin-rebuild &> /dev/null; then