1
1
mirror of https://github.com/divnix/digga.git synced 2024-12-23 08:02:21 +03:00
digga/secrets.html
2021-08-01 21:40:04 +00:00

277 lines
18 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE HTML>
<html lang="en" class="sidebar-visible no-js light">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>Secrets - devos docs</title>
<!-- Custom HTML head -->
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<meta name="description" content="">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff" />
<link rel="icon" href="favicon.svg">
<link rel="shortcut icon" href="favicon.png">
<link rel="stylesheet" href="css/variables.css">
<link rel="stylesheet" href="css/general.css">
<link rel="stylesheet" href="css/chrome.css">
<link rel="stylesheet" href="css/print.css" media="print">
<!-- Fonts -->
<link rel="stylesheet" href="FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="fonts/fonts.css">
<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" href="highlight.css">
<link rel="stylesheet" href="tomorrow-night.css">
<link rel="stylesheet" href="ayu-highlight.css">
<!-- Custom theme stylesheets -->
</head>
<body>
<!-- Provide site root to javascript -->
<script type="text/javascript">
var path_to_root = "";
var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "navy" : "light";
</script>
<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script type="text/javascript">
try {
var theme = localStorage.getItem('mdbook-theme');
var sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>
<!-- Set the theme before any content is loaded, prevents flash -->
<script type="text/javascript">
var theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
var html = document.querySelector('html');
html.classList.remove('no-js')
html.classList.remove('light')
html.classList.add(theme);
html.classList.add('js');
</script>
<!-- Hide / unhide sidebar before it is displayed -->
<script type="text/javascript">
var html = document.querySelector('html');
var sidebar = 'hidden';
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
}
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
</script>
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<div class="sidebar-scrollbox">
<ol class="chapter"><li class="chapter-item expanded "><a href="../index.html"><strong aria-hidden="true">1.</strong> Introduction</a></li><li class="chapter-item expanded "><a href="start/index.html"><strong aria-hidden="true">2.</strong> Quick Start</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="start/iso.html"><strong aria-hidden="true">2.1.</strong> ISO</a></li><li class="chapter-item expanded "><a href="start/bootstrapping.html"><strong aria-hidden="true">2.2.</strong> Bootstrapping</a></li><li class="chapter-item expanded "><a href="start/from-nixos.html"><strong aria-hidden="true">2.3.</strong> From NixOS</a></li></ol></li><li class="chapter-item expanded "><a href="concepts/index.html"><strong aria-hidden="true">3.</strong> Key Concepts</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="concepts/hosts.html"><strong aria-hidden="true">3.1.</strong> Hosts</a></li><li class="chapter-item expanded "><a href="concepts/overrides.html"><strong aria-hidden="true">3.2.</strong> Overrides</a></li><li class="chapter-item expanded "><a href="concepts/profiles.html"><strong aria-hidden="true">3.3.</strong> Profiles</a></li><li class="chapter-item expanded "><a href="concepts/suites.html"><strong aria-hidden="true">3.4.</strong> Suites</a></li><li class="chapter-item expanded "><a href="concepts/users.html"><strong aria-hidden="true">3.5.</strong> Users</a></li></ol></li><li class="chapter-item expanded "><a href="outputs/index.html"><strong aria-hidden="true">4.</strong> Outputs</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="outputs/modules.html"><strong aria-hidden="true">4.1.</strong> Modules</a></li><li class="chapter-item expanded "><a href="outputs/overlays.html"><strong aria-hidden="true">4.2.</strong> Overlays</a></li><li class="chapter-item expanded "><a href="outputs/pkgs.html"><strong aria-hidden="true">4.3.</strong> Packages</a></li></ol></li><li class="chapter-item expanded "><div><strong aria-hidden="true">5.</strong> Concerns</div></li><li><ol class="section"><li class="chapter-item expanded "><a href="secrets.html" class="active"><strong aria-hidden="true">5.1.</strong> Secrets</a></li><li class="chapter-item expanded "><a href="tests.html"><strong aria-hidden="true">5.2.</strong> Tests</a></li></ol></li><li class="chapter-item expanded "><a href="bud/index.html"><strong aria-hidden="true">6.</strong> Helper Script bud</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="bud/get.html"><strong aria-hidden="true">6.1.</strong> get</a></li></ol></li><li class="chapter-item expanded "><a href="integrations/index.html"><strong aria-hidden="true">7.</strong> Integrations</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="integrations/cachix.html"><strong aria-hidden="true">7.1.</strong> Cachix</a></li><li class="chapter-item expanded "><a href="integrations/deploy.html"><strong aria-hidden="true">7.2.</strong> Deploy RS</a></li><li class="chapter-item expanded "><a href="integrations/nvfetcher.html"><strong aria-hidden="true">7.3.</strong> NvFetcher</a></li><li class="chapter-item expanded "><a href="integrations/hercules.html"><strong aria-hidden="true">7.4.</strong> Hercules CI</a></li></ol></li><li class="chapter-item expanded "><a href="CONTRIBUTING.html"><strong aria-hidden="true">8.</strong> Contributing</a></li></ol> </div>
<div id="sidebar-resize-handle" class="sidebar-resize-handle"></div>
</nav>
<div id="page-wrapper" class="page-wrapper">
<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky bordered">
<div class="left-buttons">
<button id="sidebar-toggle" class="icon-button" type="button" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</button>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="light">Light (default)</button></li>
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
</div>
<h1 class="menu-title">devos docs</h1>
<div class="right-buttons">
<a href="print.html" title="Print this book" aria-label="Print this book">
<i id="print-button" class="fa fa-print"></i>
</a>
</div>
</div>
<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script type="text/javascript">
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>
<div id="content" class="content">
<main>
<h1 id="secrets"><a class="header" href="#secrets">Secrets</a></h1>
<p>Secrets are managed using <a href="https://github.com/AGWA/git-crypt">git-crypt</a> and <a href="https://github.com/ryantm/agenix">agenix</a>
so you can keep your flake in a public repository like GitHub without
exposing your password or other sensitive data.</p>
<p>By default, everything in the secrets folder is automatically encrypted. Just
be sure to run <code>git-crypt init</code> before putting anything in here.</p>
<h2 id="agenix"><a class="header" href="#agenix">Agenix</a></h2>
<p>Currently, there is <a href="https://github.com/NixOS/nix/issues/8">no mechanism</a> in nix itself to deploy secrets
within the nix store because it is world-readable.</p>
<p>Most NixOS modules have the ability to set options to files in the system, outside
the nix store, that contain sensitive information. You can use <a href="https://github.com/ryantm/agenix">agenix</a>
to easily setup those secret files declaratively.</p>
<p><a href="https://github.com/ryantm/agenix">agenix</a> encrypts secrets and stores them as .age files in your repository.
Age files are encrypted with multiple ssh public keys, so any host or user with a
matching ssh private key can read the data. The <a href="https://github.com/ryantm/agenix/blob/master/modules/age.nix">age module</a> will add those
encrypted files to the nix store and decrypt them on activation to <code>/run/secrets</code>.</p>
<h3 id="setup"><a class="header" href="#setup">Setup</a></h3>
<p>All hosts must have openssh enabled, this is done by default in the core profile.</p>
<p>You need to populate your <code>secrets/secrets.nix</code> with the proper ssh public keys.
Be extra careful to make sure you only add public keys, you should never share a
private key!!</p>
<p>secrets/secrets.nix:</p>
<pre><code class="language-nix">let
system = &quot;&lt;system ssh key&gt;&quot;;
user = &quot;&lt;user ssh key&gt;&quot;;
allKeys = [ system user ];
in
</code></pre>
<p>On most systems, you can get your systems ssh public key from <code>/etc/ssh/ssh_host_ed25519_key.pub</code>. If
this file doesn't exist you likely need to enable openssh and rebuild your system.</p>
<p>Your users ssh public key is probably stored in <code>~/.ssh/id_ed25519.pub</code> or
<code>~/.ssh/id_rsa.pub</code>. If you haven't generated a ssh key yet, be sure do so:</p>
<pre><code class="language-sh">ssh-keygen -t ed25519
</code></pre>
<blockquote>
<h5 id="note"><a class="header" href="#note"><em>Note:</em></a></h5>
<p>The underlying tool used by agenix, rage, doesn't work well with password protected
ssh keys. So if you have lots of secrets you might have to type in your password many
times.</p>
</blockquote>
<h3 id="secrets-1"><a class="header" href="#secrets-1">Secrets</a></h3>
<p>You will need the <code>agenix</code> command to create secrets. DevOS conveniently provides that
in the devShell, so just run <code>nix develop</code> whenever you want to edit secrets. Make sure
to always run <code>agenix</code> while in the <code>secrets/</code> folder, so it can pick up your <code>secrets.nix</code>.</p>
<p>To create secrets, simply add lines to your <code>secrets/secrets.nix</code>:</p>
<pre><code>let
...
allKeys = [ system user ];
in
{
&quot;secret.age&quot;.publicKeys = allKeys;
}
</code></pre>
<p>That would tell agenix to create a <code>secret.age</code> file that is encrypted with the <code>system</code>
and <code>user</code> ssh public key.</p>
<p>Then go into the <code>secrets</code> folder and run:</p>
<pre><code class="language-sh">agenix -e secret.age
</code></pre>
<p>This will create the <code>secret.age</code>, if it doesn't already exist, and allow you to edit it.</p>
<p>If you ever change the <code>publicKeys</code> entry of any secret make sure to rekey the secrets:</p>
<pre><code class="language-sh">agenix --rekey
</code></pre>
<h3 id="usage"><a class="header" href="#usage">Usage</a></h3>
<p>Once you have your secret file encrypted and ready to use, you can utilize the <a href="https://github.com/ryantm/agenix/blob/master/modules/age.nix">age module</a>
to ensure that your secrets end up in <code>/run/secrets</code>.</p>
<p>In any profile that uses a NixOS module that requires a secret you can enable a particular secret like so:</p>
<pre><code class="language-nix">{ self, ... }:
{
age.secrets.mysecret.file = &quot;${self}/secrets/mysecret.age&quot;;
}
</code></pre>
<p>Then you can just pass the path <code>/run/secrets/mysecret</code> to the module.</p>
<p>You can make use of the many options provided by the age module to customize where and how
secrets get decrypted. You can learn about them by looking at the
<a href="https://github.com/ryantm/agenix/blob/master/modules/age.nix">age module</a>.</p>
<blockquote>
<h5 id="note-1"><a class="header" href="#note-1"><em>Note:</em></a></h5>
<p>You can take a look at the <a href="https://github.com/ryantm/agenix">agenix repository</a> for more information
about the tool.</p>
</blockquote>
</main>
<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<a rel="prev" href="outputs/pkgs.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next" href="tests.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
<div style="clear: both"></div>
</nav>
</div>
</div>
<nav class="nav-wide-wrapper" aria-label="Page navigation">
<a rel="prev" href="outputs/pkgs.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next" href="tests.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
</nav>
</div>
<script type="text/javascript">
window.playground_copyable = true;
</script>
<script src="elasticlunr.min.js" type="text/javascript" charset="utf-8"></script>
<script src="mark.min.js" type="text/javascript" charset="utf-8"></script>
<script src="searcher.js" type="text/javascript" charset="utf-8"></script>
<script src="clipboard.min.js" type="text/javascript" charset="utf-8"></script>
<script src="highlight.js" type="text/javascript" charset="utf-8"></script>
<script src="book.js" type="text/javascript" charset="utf-8"></script>
<!-- Custom JS scripts -->
</body>
</html>