commit 67cf8aa3731dca126803bc3a24a14b6a5fb81ea4
author Skyler Grey <sky@a.starrysky.fyi> Sun Jul 28 13:21:32 2024 +0000
committer Skyler Grey <minion@clicks.codes> Fri Aug 02 19:46:49 2024 +0000
tree 08152526b8813a18e586e75da77f152f6e54f7db
parent d938392fe420e2f68177cb78668e7ce59d20d6ef

feat(secrets)!: Replace sops with agenix-rekey

sops-nix is tending to be fairly complex for our use-cases, which adds
difficulty to deploying, maintaining our wrapper module, keeping
".env.bin" files, etc.

agenix-rekey is a lot simpler.

notable in this commit is the `// { outputPath = ...; }` hack in
flake.nix. This is needed due to snowfall-lib otherwise butchering paths
such that agenix-rekey is unable to show us what secrets exist with
`agenix edit`, etc... companion to that is the lib.snowfall.fs stuff in
the secrets/default.nix file

Change-Id: Id3e79cfc7d37a7b7de7b8cc42f7392c4d8bd07c5
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/801
Reviewed-by: Skyler Grey <minion@clicks.codes>
Tested-by: Skyler Grey <minion@clicks.codes>

modules/nixos/clicks/security/secrets/default.nix

diff --git a/modules/nixos/clicks/security/secrets/default.nix b/modules/nixos/clicks/security/secrets/default.nix
new file mode 100644
index 0000000..9a97f9d
--- /dev/null
+++ b/modules/nixos/clicks/security/secrets/default.nix
@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: 2024 Auxolotl Infrastructure Contributors
+# SPDX-FileCopyrightText: 2024 Clicks Codes
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+{ config, lib, pkgs, inputs, ... }: let
+  cfg = config.clicks.security.secrets;
+in {
+  options.clicks.security.secrets.enable = lib.mkOption {
+    description = "Enable using agenix-rekey for secrets";
+    type = lib.types.bool;
+    default = true;
+  };
+
+  config = lib.mkIf cfg.enable {
+    age.rekey = {
+      masterIdentities = [
+        "${inputs.self}/secrets/keys/minion/collabora-yubikey.pub"
+        "${inputs.self}/secrets/keys/minion/tiny-yubikey.pub"
+        "${inputs.self}/secrets/keys/minion/iyubikey.pub"
+      ];
+      storageMode = "local";
+      generatedSecretsDir = lib.snowfall.fs.get-snowfall-file "secrets/generated/${config.networking.hostName}";
+      localStorageDir = lib.snowfall.fs.get-snowfall-file "secrets/rekeyed/${config.networking.hostName}";
+    };
+
+    age.identityPaths = lib.mkIf config.clicks.storage.impermanence.enable [
+      "/persist/data/etc/ssh/ssh_host_ed25519_key"
+      "/persist/data/etc/ssh/ssh_host_rsa_key"
+    ];
+  };
+}