Skip to content

Commit

Permalink
+ detail doc
Browse files Browse the repository at this point in the history
  • Loading branch information
oluceps committed Nov 17, 2024
1 parent e2de3fe commit be93580
Show file tree
Hide file tree
Showing 10 changed files with 78 additions and 31 deletions.
17 changes: 10 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,16 @@

Secret management for NixOS.

This project is highly inspired by [agenix-rekey](https://github.com/oddlama/agenix-rekey) and [sops-nix](https://github.com/Mic92/sops-nix). Based on rust [age](https://docs.rs/age/latest/age) crate.

+ Age Plugin Compatible
+ Support Template
+ Support identity with passphrase
+ Support PIV Card (Yubikey)
+ No Bash
This project is highly inspired by [agenix-rekey](https://github.com/oddlama/agenix-rekey) and [sops-nix](https://github.com/Mic92/sops-nix).

+ Based on age rust [implemention](https://docs.rs/age/latest/age)
+ Support secure identity with passphrase
+ Support template for reusing insensitive stanza
+ Support Yubikey PIV with [age-yubikey-plugin](https://github.com/str4d/age-plugin-yubikey)
+ Small closure size increase (less than 1.5M)
+ Fits well with new `sysuser` nixos userborn machenism
+ Design with [flake-parts](https://flake.parts/) and modulized flake
+ Compatible and tested with most nixos deployment tools (nixos-rebuild, apply, colmena)

## Setup

Expand Down
2 changes: 2 additions & 0 deletions TODO.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
- [ ] multilingual docs
- [ ] restart/reload sd unit control (after systemd varlink api)
- [x] secrets for users
- [x] optimize template placeholder map get
- [x] test with os
Expand Down
2 changes: 1 addition & 1 deletion book.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ authors = ["oluceps"]
language = "en"
multilingual = false
src = "doc"
title = "vaultix manual"
title = "Vaultix Documentation"

[output.html]
git-repository-url = "https://github.com/oluceps/vaultix"
Expand Down
2 changes: 1 addition & 1 deletion doc/SUMMARY.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Summary

- [Intro](./intro.md)
- [Introduction](./intro.md)
- [Prerequisits](./prerequisits.md)
- [Setup](./setup.md)
- [Flake Option](./flake-option.md)
Expand Down
30 changes: 26 additions & 4 deletions doc/advanced.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,28 @@
# Advanced




## Tricks

In most cases you don't need these.

### Manually deploy

This must be executed on local, and be sure all secrets re-encrypted before that, since there has no module to guarantee it in this case.

Manually deploy not affect next vaultix activation. It's a trick that helps you finish deploy while your flake options of vaultix broken:

This eval nixos vaultix configs to json.

```bash
nix eval .#nixosConfigurations.your-hostname.config.vaultix-debug --json > profile.json
```
/|、
(˙、.7
|、~ヽ
じしf_,)ノ

So that you can feed it to vaultix cli directly:

```bash
nix run github:oluceps/vaultix -- -p ./profile.json deploy
```

To be notice that deploy secrets that needs to be extracted before user init (deploy with --early) in this way is meaningless.
2 changes: 1 addition & 1 deletion doc/faq.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,6 @@

**Q.** Rebooting and unit failed with could not found ssh private key, but it indeed just there.

**A.** Check if using `root on tmpfs`, and modify [hostKeys](https://oluceps.github.io/vaultix/nixos-option.html#hostkeys) path to Absolute path string to your REAL private key location (not bind mounted or symlinked etc.)
**A.** Check if using `root on tmpfs`, and modify [hostKeys](https://oluceps.github.io/vaultix/nixos-option.html#hostkeys) path to Absolute path string which your REAL private key located (not bind mounted or symlinked etc.). This could also fix similar issue happened with agenix and sops-nix...

---
26 changes: 18 additions & 8 deletions doc/intro.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,23 @@
# Vaultix

### Secret management for NixOS.
### Single-admin Secret Manage Scheme for NixOS.

This project is highly inspired by [agenix-rekey](https://github.com/oddlama/agenix-rekey) and [sops-nix](https://github.com/Mic92/sops-nix). Based on rust [age](https://docs.rs/age/latest/age) crate.

+ Support Template
+ Age Plugin Compatible
+ Support PIV Card (Yubikey)
+ Support identity with passphrase
+ Compatible with `userborn` module option
+ No Bash
This project is highly inspired by [agenix-rekey](https://github.com/oddlama/agenix-rekey) and [sops-nix](https://github.com/Mic92/sops-nix).

+ Based on age rust [implemention](https://docs.rs/age/latest/age)
+ Support secure identity with passphrase
+ Support template for reusing insensitive stanza
+ Support Yubikey PIV with [age-yubikey-plugin](https://github.com/str4d/age-plugin-yubikey)
+ Small closure size increase (less than 1.5M[^1])
+ Fits well with new `sysuser` nixos userborn machenism[^2]
+ Design with [flake-parts](https://flake.parts/) and modulized flake
+ Written in Rust for speed, safety, and simplicity
+ Compatible and tested with known[^3] nixos deployment tools




[^1]: nix build result on Nov 18 2024, 1357112 bytes.
[^2]: See merged pr [270727](https://github.com/NixOS/nixpkgs/pull/270727) and [332719](https://github.com/NixOS/nixpkgs/pull/332719)
[^3]: nixos-rebuild, apply, colmena was confirmed supported
21 changes: 15 additions & 6 deletions doc/nixos-option.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Configurable option could be divided into 3 parts:
}
```

## Settings =
## Settings
Literally.


Expand All @@ -33,7 +33,10 @@ Same as above, but for secrets and templates that required by user, which means

<div id="dmp"></div>

### decryptedMountPoint: path str with no trailing slash
### decryptedMountPoint

Path str with no trailing slash

default is `/run/vaultix.d`

Where secrets are created before they are symlinked to `vaultix.settings.decryptedDir`
Expand Down Expand Up @@ -102,7 +105,9 @@ This part basically keeps identical with `agenix`. But has few diffs:

+ no `symlink: bool` option, since it has an systemd function called [tmpfiles.d](https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html).

### path: path str
### path

str of path

If you manually set this, it will deploy to specified location instead of to `/run/vaultix.d` (default value of [decryptedMountPoint](#dmp)).

Expand Down Expand Up @@ -133,7 +138,7 @@ templates = {
```


### content: str
### content


Insert `config.vaultix.placeholder.example` in plain string content.
Expand Down Expand Up @@ -162,14 +167,18 @@ ${config.vaultix.placeholder.some} here

TO BE NOTICE that the source secret file may have trailing `\n`:

### trim: bool
### trim

boolean value

default true;

Removing trailing and leading whitespace by default.


## beforeUserborn: [str]
## beforeUserborn

List of string.

For deploying secrets and templates that required before user init.

Expand Down
5 changes: 3 additions & 2 deletions justfile
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,6 @@ full-test:
nix run github:nix-community/nixos-anywhere -- --flake .#tester --vm-test
vm-tests:
#!/usr/bin/env nu
["tester" "tester-empty-secret" "tester-empty-template"] |
par-each { nix run github:nix-community/nixos-anywhere -- --flake $'.#($in)' --vm-test }
nix run github:nix-community/nixos-anywhere -- --flake .#tester --vm-test
nix run github:nix-community/nixos-anywhere -- --flake .#tester-empty-secret --vm-test
nix run github:nix-community/nixos-anywhere -- --flake .#tester-empty-template --vm-test
2 changes: 1 addition & 1 deletion module/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -218,7 +218,7 @@ in
};
};

systemd.services.vaultix-activate-before-user = {
systemd.services.vaultix-activate-before-user = mkIf (cfg.beforeUserborn != [ ]) {
wantedBy = [ "systemd-sysusers.service" ];
before = [ "systemd-sysusers.service" ];
unitConfig.DefaultDependencies = "no";
Expand Down

0 comments on commit be93580

Please sign in to comment.