feat(secrets)!: Replace sops with agenix-rekey
sops-nix is tending to be fairly complex for our use-cases, which adds
difficulty to deploying, maintaining our wrapper module, keeping
".env.bin" files, etc.
agenix-rekey is a lot simpler.
notable in this commit is the `// { outputPath = ...; }` hack in
flake.nix. This is needed due to snowfall-lib otherwise butchering paths
such that agenix-rekey is unable to show us what secrets exist with
`agenix edit`, etc... companion to that is the lib.snowfall.fs stuff in
the secrets/default.nix file
Change-Id: Id3e79cfc7d37a7b7de7b8cc42f7392c4d8bd07c5
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/801
Reviewed-by: Skyler Grey <minion@clicks.codes>
Tested-by: Skyler Grey <minion@clicks.codes>
diff --git a/systems/x86_64-linux/teal/default.nix b/systems/x86_64-linux/teal/default.nix
index d09bb7f..83cacf7 100644
--- a/systems/x86_64-linux/teal/default.nix
+++ b/systems/x86_64-linux/teal/default.nix
@@ -11,6 +11,8 @@
...
}:
{
+ age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPkKdPSPxsLdx3GUjjyibRLjLl3XfaXmfrrvemDFkjI3";
+
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
@@ -31,7 +33,7 @@
defaults = {
email = "minion@clicks.codes";
dnsProvider = "cloudflare";
- environmentFile = config.clicks.secrets."${lib.clicks.secrets.name ./acme.sops.env.bin}".path;
+ environmentFile = config.age.secrets."clicks.security.acme.defaults.environmentFile".path;
};
};
};
@@ -49,14 +51,14 @@
issuer = "https://login.clicks.codes/realms/master";
allowed_groups = [ "/clicks" ];
client_secret_path =
- config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.oidc_client_secret;
+ config.age.secrets."clicks.services.headscale.oidc.client_secret_path".path;
};
database_password_path =
- config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.database_password;
+ config.age.secrets."clicks.services.headscale.database_password_path".path;
noise_private_key_path =
- config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key;
+ config.age.secrets."clicks.services.headscale.noise_private_key_path".path;
private_key_path =
- config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key;
+ config.age.secrets."clicks.services.headscale.private_key_path".path;
acl =
let
internet = [
@@ -187,7 +189,7 @@
networking.tailscale = {
enable = true;
authKeyFile =
- config.clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}".paths.authKey;
+ config.age.secrets."clicks.networking.tailscale.authKeyFile".path;
};
storage = {
@@ -236,22 +238,28 @@
system.stateVersion = "24.05";
- clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}" = {
- file = ./headscale.sops.json;
+ age.secrets."clicks.security.acme.defaults.environmentFile".rekeyFile = ./clicks.security.acme.defaults.environmentFile.age;
+
+ age.secrets."clicks.services.headscale.oidc.client_secret_path" = {
+ rekeyFile = ./clicks.services.headscale.oidc.client_secret_path.age;
group = "headscale";
- keys = [
- "oidc_client_secret"
- "database_password"
- "noise_private_key"
- "private_key"
- ];
- neededForUsers = false;
+ mode = "440";
+ };
+ age.secrets."clicks.services.headscale.database_password_path" = {
+ rekeyFile = ./clicks.services.headscale.database_password_path.age;
+ group = "headscale";
+ mode = "440";
+ };
+ age.secrets."clicks.services.headscale.noise_private_key_path" = {
+ rekeyFile = ./clicks.services.headscale.noise_private_key_path.age;
+ group = "headscale";
+ mode = "440";
+ };
+ age.secrets."clicks.services.headscale.private_key_path" = {
+ rekeyFile = ./clicks.services.headscale.private_key_path.age;
+ group = "headscale";
+ mode = "440";
};
- clicks.secrets."${lib.clicks.secrets.name ./tailscale.sops.json}" = {
- file = ./tailscale.sops.json;
- keys = [ "authKey" ];
- };
-
- clicks.secrets."${lib.clicks.secrets.name ./acme.sops.env.bin}".file = ./acme.sops.env.bin;
+ age.secrets."clicks.networking.tailscale.authKeyFile".rekeyFile = ./clicks.networking.tailscale.authKeyFile.age;
}