Agenix: Difference between revisions
imported>Onny Initial page |
imported>Onny Start adding configuration section |
||
| Line 36: | Line 36: | ||
== Configuration == | == Configuration == | ||
First create a directory where secrets are going to be stored. In this example we're creating the directory <code>secrets</code> inside the NixOS system configuration path <code>/etc/nixos</code> | |||
<syntaxhighlight lang="bash"> | |||
# mkdir /etc/nixos/secrets | |||
</syntaxhighlight> | |||
Inside the secrets directory we create a <code>secrets.nix</code> file which will be used by the agenix client to encrypt secrets for specific users and parts of the system | |||
{{file|/etc/nixos/secrets/secrets.nix|nix|<nowiki> | |||
let | |||
user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH"; | |||
user2 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoQ9S7V+CufAgwoehnf2TqsJ9LTsu8pUA3FgpS2mdVwcMcTs++8P5sQcXHLtDmNLpWN4k7NQgxaY1oXy5e25x/4VhXaJXWEt3luSw+Phv/PB2+aGLvqCUirsLTAD2r7ieMhd/pcVf/HlhNUQgnO1mupdbDyqZoGD/uCcJiYav8i/V7nJWJouHA8yq31XS2yqXp9m3VC7UZZHzUsVJA9Us5YqF0hKYeaGruIHR2bwoDF9ZFMss5t6/pzxMljU/ccYwvvRDdI7WX4o4+zLuZ6RWvsU6LGbbb0pQdB72tlV41fSefwFsk4JRdKbyV3Xjf25pV4IXOTcqhy+4JTB/jXxrF"; | |||
users = [ user1 user2 ]; | |||
system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE"; | |||
system2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzxQgondgEYcLpcPdJLrTdNgZ2gznOHCAxMdaceTUT1"; | |||
systems = [ system1 system2 ]; | |||
in | |||
{ | |||
"secret1.age".publicKeys = [ user1 system1 ]; | |||
"secret2.age".publicKeys = users ++ systems; | |||
} | |||
</nowiki>}} | |||
[[Category:Applications]] | [[Category:Applications]] | ||
[[Category:Security]] | [[Category:Security]] | ||
Revision as of 10:57, 29 December 2022
agenix is a commandline tool for managing secrets encrypted with your existing SSH keys. The project also includes the NixOS module age for adding encrypted secrets into the Nix store and decrypting them.
Installation
The following example describes an installation via Flakes. For further installation methods see the upstream documentation.
{
inputs.agenix.url = "github:ryantm/agenix";
# optional, not necessary for the module
#inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";
outputs = { self, nixpkgs, agenix }: {
nixosConfigurations.yourhostname = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./configuration.nix
agenix.nixosModule
];
};
};
}
Change yourhostname to your actual hostname and x86_64-linux to your system architecture.
After that installing the agenix client application can be achieved like this
{ config, pkgs, lib, inputs, ... }:{
environment.systemPackages = [
inputs.agenix.defaultPackage."${system}"
];
}
Configuration
First create a directory where secrets are going to be stored. In this example we're creating the directory secrets inside the NixOS system configuration path /etc/nixos
# mkdir /etc/nixos/secrets
Inside the secrets directory we create a secrets.nix file which will be used by the agenix client to encrypt secrets for specific users and parts of the system
/etc/nixos/secrets/secrets.nix
let
user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
user2 = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoQ9S7V+CufAgwoehnf2TqsJ9LTsu8pUA3FgpS2mdVwcMcTs++8P5sQcXHLtDmNLpWN4k7NQgxaY1oXy5e25x/4VhXaJXWEt3luSw+Phv/PB2+aGLvqCUirsLTAD2r7ieMhd/pcVf/HlhNUQgnO1mupdbDyqZoGD/uCcJiYav8i/V7nJWJouHA8yq31XS2yqXp9m3VC7UZZHzUsVJA9Us5YqF0hKYeaGruIHR2bwoDF9ZFMss5t6/pzxMljU/ccYwvvRDdI7WX4o4+zLuZ6RWvsU6LGbbb0pQdB72tlV41fSefwFsk4JRdKbyV3Xjf25pV4IXOTcqhy+4JTB/jXxrF";
users = [ user1 user2 ];
system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
system2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzxQgondgEYcLpcPdJLrTdNgZ2gznOHCAxMdaceTUT1";
systems = [ system1 system2 ];
in
{
"secret1.age".publicKeys = [ user1 system1 ];
"secret2.age".publicKeys = users ++ systems;
}