Skip to content

Commit

Permalink
Switch to agenix
Browse files Browse the repository at this point in the history
git-crypt no longer works: NixOS/nix#5260
  • Loading branch information
jtojnar committed Nov 6, 2021
1 parent 5c5c0be commit 2360a19
Show file tree
Hide file tree
Showing 14 changed files with 138 additions and 9 deletions.
2 changes: 1 addition & 1 deletion .gitattributes
Original file line number Diff line number Diff line change
@@ -1 +1 @@
secrets/** filter=git-crypt diff=git-crypt
secrets/*.age binary
4 changes: 4 additions & 0 deletions common/data/keys.nix
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
{
azazel = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBnYnuUen7HpY43vvqgWzF7ZQ1UFkHCDzvSqGghwV0G"
];

jtojnar = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYbOlZydfRRCGCT08wdtPcpfSrgxMc6weDx3NcWrnMpVgxnMs3HozzkaS/hbcZUocn7XbCOyaxEd1O8Fuaw4JXpUBcMetpPXkQC+bZHQ3YsZZyzVgCXFPRF88QQj0nR7YVE1AeAifjk3TCODstTxit868V1639/TVIi5y5fC0/VbYG2Lt4AadNH67bRv8YiO3iTsHQoZPKD1nxA7yANHCuw38bGTHRhsxeVD+72ThbsYSZeA9dBrzACpEdnwyXclaoyIOnKdN224tu4+4ytgH/vH/uoUfL8SmzzIDvwZ4Ba2yHhZHs5iwsVjTvLe7jjE6I1u8qY7X8ofnanfNcsmz/ jtojnar@theo"
];
Expand Down
21 changes: 21 additions & 0 deletions flake.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 7 additions & 1 deletion flake.nix
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,11 @@
description = "jtojnar’s machines";

inputs = {
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};

dwarffs = {
url = "github:edolstra/dwarffs";
inputs.nixpkgs.follows = "nixpkgs";
Expand Down Expand Up @@ -46,7 +51,7 @@
};
};

outputs = { self, dwarffs, flake-compat, home-manager, naersk, napalm, nixpkgs, nixpkgs-mozilla, nixgl }@inputs:
outputs = { self, agenix, dwarffs, flake-compat, home-manager, naersk, napalm, nixpkgs, nixpkgs-mozilla, nixgl }@inputs:
let
inherit (nixpkgs) lib;

Expand Down Expand Up @@ -194,6 +199,7 @@
devShell = forAllPlatforms (platform:
pkgss.${platform}.mkShell {
nativeBuildInputs = with pkgss.${platform}; [
agenix.defaultPackage.${platform}
deploy
git
git-crypt
Expand Down
6 changes: 6 additions & 0 deletions hosts/azazel/configuration.nix
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,12 @@ in {
defaultUserShell = pkgs.fish;
};

age.secrets = {
"bag.ogion.cz-secret".file = ../../secrets/bag.ogion.cz-secret.age;
"blackfire-agent-server-id".file = ../../secrets/blackfire-agent-server-id.age;
"blackfire-agent-server-token".file = ../../secrets/blackfire-agent-server-token.age;
};

networking.firewall.allowedTCPPorts = [
80
443
Expand Down
25 changes: 21 additions & 4 deletions hosts/azazel/ogion.cz/bag/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,8 @@ let
locale = "en";

# A secret key that's used to generate certain security-related tokens
secret = import ../../../../secrets/bag.ogion.cz-secret.nix;
# We use agenix so we need to substitute it at activation time.
secret = "@secret@";

# two factor stuff
twofactor_auth = true;
Expand Down Expand Up @@ -79,20 +80,24 @@ let
sentry_dsn = null;
};

configFile = pkgs.writeTextFile {
configFileTemplate = pkgs.writeTextFile {
name = "wallabag-config";
text = builtins.toJSON {
parameters = settings;
};
destination = "/config/parameters.yml";
};

configFileLink = pkgs.runCommandLocal "wallabag-config-link" { } ''
mkdir -p "$out/config"
ln -s "/etc/wallabag/parameters.yml" "$out/config/parameters.yml"
'';

appDir = pkgs.buildEnv {
name = "wallabag-app-dir";
ignoreCollisions = true;
checkCollisionContents = false;
paths = [
configFile
configFileLink
"${package}/app"
];
};
Expand Down Expand Up @@ -164,6 +169,18 @@ in {
};
};

# We use agenix so we need to create the config at activation time.
system.activationScripts."bag.ogion.cz-secret" = lib.stringAfter [ "etc" "agenix" "agenixRoot" ] ''
secret=$(cat "${config.age.secrets."bag.ogion.cz-secret".path}")
configDir=/etc/wallabag
mkdir -p "$configDir"
configFile=$configDir/parameters.yml
${pkgs.gnused}/bin/sed "s#@secret@#$secret#" "${configFileTemplate}" > "$configFile"
chown -R bag:nginx "$configDir"
chmod 700 "$configDir"
chmod 600 "$configFile"
'';

systemd.services.wallabag-install = {
description = "Wallabag install service";
wantedBy = [ "multi-user.target" ];
Expand Down
13 changes: 12 additions & 1 deletion hosts/azazel/ogion.cz/reader/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -77,10 +77,21 @@ in {

blackfire-agent = {
enable = true;
settings = import ../../../../secrets/blackfire-agent-credentials.nix;
settings = {
# We use agenix so we need to substitute it at activation time.
server-id = "@serverId@";
server-token = "@serverToken@";
};
};
};

# We use agenix so we need to create the config at activation time.
system.activationScripts."blackfire-secret-secret" = lib.stringAfter [ "etc" "agenix" "agenixRoot" ] ''
serverId=$(cat "${config.age.secrets."blackfire-agent-server-id".path}")
serverToken=$(cat "${config.age.secrets."blackfire-agent-server-token".path}")
${pkgs.gnused}/bin/sed -i "s#@serverId@#$serverId#;s#@serverToken@#$serverToken#" "/etc/blackfire/agent"
'';

# I was not able to pass the variables through services.phpfpm.pools.reader.phpEnv:
# https://github.com/NixOS/nixpkgs/issues/79469#issuecomment-631461513
systemd.services.phpfpm-reader.environment = settingsEnv;
Expand Down
6 changes: 4 additions & 2 deletions hosts/default.nix
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Let’s build a configuration for each host listed in ./list.nix.
{ inputs, pkgss }:
let
inherit (inputs) self nixpkgs home-manager;
inherit (inputs) self agenix nixpkgs home-manager;
inherit (nixpkgs) lib;

mkConfig = { hostName, platform, managedHome ? false, ... }:
Expand Down Expand Up @@ -52,7 +52,9 @@ let
}
];
in
flakeModules ++ [ core global local ] ++ hmModules;
flakeModules ++ [ core global local ] ++ hmModules ++ [
agenix.nixosModules.age
];
};

hosts =
Expand Down
15 changes: 15 additions & 0 deletions secrets/bag.ogion.cz-secret.age
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-ed25519 y9dNJA xW9ZyVikHCP96nsn3smUYwSKCyDds8J3OcW9jcfUA1c
c1HxCAx4mkOuDs4Uh9i2QVUQQGejcEMqDo4waO99vkU
-> ssh-rsa hco4Zg
cC+t8WAmfUJ8gdzRoNkXNdrJJW3t354dXLqTUpcCa1Wu2ZvGAk7QCMReM+aQ9wdf
LUke7hwyqTbq3t6eMUVsJsfuR7JFewaXBgU9gfl0gRnWaXTJJuskWT+nXVMEO/x0
J8kxNxbRTzD9dPzKWWe0gsxsAdvXxmUvwidw+jjLqd+O/Zrm0NTApl2KZamuL14R
BcsUWmr+kLvfaAQUiEY81SyFxdGA5CA5mL80VTJzfZwStF7J6idS324niC5LtaR2
kdtHcKELvMzzbF19IGjbTKX+p5/fS77q5l6N3Ag893P2gnjgrndfU+6v0Trb23UI
iAh3WwCq26uYTip/l1/VFQ
-> q!U3cJ-grease 5J%2)$ E{Ti{3\ lH^
LEXiIoXxWOzQBcMCidXU83VUL9G9yWEJ8Cq/8HUcGwKNrHky6qMgAoShrqUA3bOT

--- RSgwMHJIaxzAmubS+aAti2IGtuaUsgF/cXP6Ca/GSQY
b��������)B��ۜ8z���v=� ?E���.:K$Yf�ضf�Ju%V< ��f�«�d$U::@G.�U�R^�99���y
Binary file removed secrets/bag.ogion.cz-secret.nix
Binary file not shown.
Binary file removed secrets/blackfire-agent-credentials.nix
Binary file not shown.
15 changes: 15 additions & 0 deletions secrets/blackfire-agent-server-id.age
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-ed25519 y9dNJA XxXhNO6e52X41WptrNRFPa65GmGQ3KYpt1cp3W44pXo
Cbs6874a2/C+LcFoDAzBzqy3voEHYBPm1Bo7tq8CkOE
-> ssh-rsa hco4Zg
tkZLJT3mWfLWqnu5MbICZRqg5spdG1DYoil358cK9xdXCN/SSAQQmFNZtwq1WPaR
42O6gK2LQIHFtPwTq+fzr0Ous5mY7rM8WCfaK0rC7YejY9MUGnsWUCBg4e2rToUz
DxfMHm3Po40wZcFIfRLZ2AH17kOMZxteKO55XciU94vFwHoncp5hjrLIFWNve1fA
4aMu3uQdXGqIv9CWMJxEF+D7mkb0dWwLkgK/bS+u0x7aLtAU87WxcZrhm5g2CgtZ
3EfOseSvSUO1C1B5GCRxK0lxUWPylgIHeXVib4dE+tqrg0hZIkPW7CUJiC2G2cfz
4JmwNpPG2aAyDV9D9pWolA
-> bl)^{[R-grease "2}bC = <k8 bW
8uKNvmA9YuB0Mzpxa6GSqzcXavFtIhlzPVSVwWfQZeiNs6C+Nhrs8+i1QjTY1SRA
4O5ATCx2tkC/SU8emaSs82LPEV8+ppGjhGCxOielBqV19Y0loaLCBX/r84bGKQ
--- p71HVz3NZ1ogTjv2m9wvkvqxKcU0xHGYy3/jFKeu9I0
0�"��2p��2p�m���y�����<�%ϬSOQ*�_���.�c����u;�vkc��(@��t����FQ
Expand Down
15 changes: 15 additions & 0 deletions secrets/blackfire-agent-server-token.age
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-ed25519 y9dNJA 70N7LeHyyquTcXNCK2WJXMPpMXVXHYOHTlIi4qGn+UA
H/th/VllUaMIw16oTqVdu5f5f2S3T/MD4lyG5cPm5EU
-> ssh-rsa hco4Zg
EFFsYvo95sr1Adk4ul2dAJ8i6/vznD1+F8+0701IXLoNS3E7WlNf+ihH2kw1h3KV
NBY5RPKBpYPxRY2CxgGcGGotXDbXxxRJujBXXOZqxpm3NdQgkTxUVIYLbkB1aO9V
sg64A5oIJXPrC2aOgKJvq2Fu+VQMk9uEkv9YM4IBoo6PaDP1bcVK3eWiUMGN+J/d
Ltm5zVm7Hi0NgDy3l1tu4UDCm/uf+jEJc1h8yqxhoSCQ/iZWb9Sq3pYAPuNk6y1R
LB6gfbSb4qZpmGt2YxEo7PNGGfaxuVYgptWQdbpOT/t2/WAywgYiYiJHSEu5L0zo
Siu0hghAhZbxAIdeQR6MhA
-> zo2#aG#J-grease
YeaFR41/GUK1CwKRoT/6JSLZaAt1mhsksqcodrr+5L0YfcdNORN/NGwDSIoVcuzd
IMdcYso
--- bz7V9JspXF4H+8K9loRwrZT2+YvGJ9cx+2wfuVLd2wI
1ÁNt�Ik�S�Y;���m)�h��4�����!�FS��{�E�B���@;O-ԭ>��i�?`_ϣ2�����@3Vj��oGc��l����eҹ��
Expand Down
17 changes: 17 additions & 0 deletions secrets/secrets.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
let
keys = import ../common/data/keys.nix;
in
{
"bag.ogion.cz-secret.age".publicKeys = builtins.concatLists [
keys.azazel
keys.jtojnar
];
"blackfire-agent-server-id.age".publicKeys = builtins.concatLists [
keys.azazel
keys.jtojnar
];
"blackfire-agent-server-token.age".publicKeys = builtins.concatLists [
keys.azazel
keys.jtojnar
];
}

0 comments on commit 2360a19

Please sign in to comment.