simon
/
nixos-config
1
1
Fork 0
Code Issues 8 Pull Requests Projects Releases Activity

Use sops for secrets #38

New Issue
Closed
opened 2021-02-08 08:42:07 +01:00 by simon · 0 comments
simon commented 2021-02-08 08:42:07 +01:00
Owner

“Secrets” currently managed with git-crypt will remain unaffected, since they aren’t used for secrets, but for configuration that stores sensitive private user data (like mail addresses, password hashes) and has to be available at build time.

  • Does it work for initrd host keys? No, since they have to be available at build time (or at least before activation).
    • Treat them as state like regular host keys (put them in /etc/ssh)
      • include /etc/ in backups
      • change unlock script
  • Does it work for luks key? It should be state (e.g. in /root)
    • include /root in backups
  • Migrate secrets
    • nunotaba
    • sayuri
      • add host key
      • move luks data to /root
    • vueko
    • fuuko

Original content refering to agenix:

Use agenix for secrets. This removes the dependency on password-store and stores secrets encrypted to the target ssh host key in the nix store. This makes the deployment more reproducible, as there is no depdency on an external repository.

Since I don’t (yet) want to make all my ssh keys passwordless, I will be using age’s own keys.

“Secrets” currently managed with git-crypt will remain unaffected, since they aren’t used for secrets, but for configuration that stores sensitive private user data (like mail addresses, password hashes) and has to be available at build time. - [X] Does it work for initrd host keys? **No**, since they have to be available at build time (or at least before activation). - [X] Treat them as state like regular host keys (put them in `/etc/ssh`) - [X] include `/etc/` in backups - [X] change unlock script - [X] Does it work for luks key? It should be state (e.g. in `/root`) - [X] include `/root` in backups - Migrate secrets - [X] nunotaba - [X] sayuri - [X] add host key - [X] move luks data to /root - [X] vueko - [X] fuuko --- Original content refering to agenix: Use [agenix](https://github.com/ryantm/agenix) for secrets. This removes the dependency on password-store and stores secrets encrypted to the target ssh host key in the nix store. This makes the deployment more reproducible, as there is no depdency on an external repository. Since I don’t (yet) want to make all my ssh keys passwordless, I will be using age’s own keys.
simon added the
affects/reproducibility
affects/security
type
feature
 labels 2021-02-08 08:42:07 +01:00
simon added the
blocked by/testing needed
blocked by/upstream
 labels 2021-02-20 17:25:55 +01:00
simon changed title from Use agenix for secrets to Use sops for secrets 2021-04-06 10:12:04 +02:00
simon removed the
blocked by/upstream
 label 2021-04-06 10:14:45 +02:00
simon added
blocked by/testing needed/sayuri
 and removed
blocked by/testing needed
 labels 2021-04-06 23:42:52 +02:00
simon referenced this issue from a commit 2021-04-10 11:59:19 +02:00
sayuri: Migrate to sops
simon closed this issue 2021-04-10 11:59:19 +02:00
simon removed the
blocked by/testing needed/sayuri
 label 2021-04-16 22:50:28 +02:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
okarin2
hyper
master
catering
reuse
yuzuru2
renge2
23.11
nazuna
neomutt
sayuri-mesa-clover
upower
binfmt
ayu
restic-rest-server
Labels
Clear labels   
affects/hardware
   
affects/legal
   
affects/reproducibility
   
affects/security
   
affects/style
   
affects/usability
   
blocked by/release 21.05
   
blocked by/release 21.11
   
blocked by/release 22.05
   
blocked by/testing needed
   
blocked by/testing needed/fuuko
   
blocked by/testing needed/sayuri
   
blocked by/upstream
  
resolution
deferred
   
resolution
permanent workaround
   
resolution
upstream wontfix
   
resolution
wontfix
  
type
bug
   
type
chore
   
type
feature
   
type
new machine
   
type
question
   
type
regression
   
type
tracking
No Label
affects/hardware
affects/legal
affects/reproducibility
affects/security
affects/style
affects/usability
blocked by/release 21.05
blocked by/release 21.11
blocked by/release 22.05
blocked by/testing needed
blocked by/testing needed/fuuko
blocked by/testing needed/sayuri
blocked by/upstream
resolution
deferred
resolution
permanent workaround
resolution
upstream wontfix
resolution
wontfix
type
bug
type
chore
type
feature
type
new machine
type
question
type
regression
type
tracking
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: simon/nixos-config#38
There is no content yet.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?