Use sops for secrets

simon commented

2021-02-08 08:42:07 +01:00

Owner

“Secrets” currently managed with git-crypt will remain unaffected, since they aren’t used for secrets, but for configuration that stores sensitive private user data (like mail addresses, password hashes) and has to be available at build time.

Does it work for initrd host keys? No, since they have to be available at build time (or at least before activation).
- Treat them as state like regular host keys (put them in /etc/ssh)
  - include /etc/ in backups
  - change unlock script
Does it work for luks key? It should be state (e.g. in /root)
- include /root in backups
Migrate secrets
- nunotaba
- sayuri
  - add host key
  - move luks data to /root
- vueko
- fuuko

Original content refering to agenix:

Use agenix for secrets. This removes the dependency on password-store and stores secrets encrypted to the target ssh host key in the nix store. This makes the deployment more reproducible, as there is no depdency on an external repository.

Since I don’t (yet) want to make all my ssh keys passwordless, I will be using age’s own keys.

“Secrets” currently managed with git-crypt will remain unaffected, since they aren’t used for secrets, but for configuration that stores sensitive private user data (like mail addresses, password hashes) and has to be available at build time. - [X] Does it work for initrd host keys? **No**, since they have to be available at build time (or at least before activation). - [X] Treat them as state like regular host keys (put them in `/etc/ssh`) - [X] include `/etc/` in backups - [X] change unlock script - [X] Does it work for luks key? It should be state (e.g. in `/root`) - [X] include `/root` in backups - Migrate secrets - [X] nunotaba - [X] sayuri - [X] add host key - [X] move luks data to /root - [X] vueko - [X] fuuko --- Original content refering to agenix: Use [agenix](https://github.com/ryantm/agenix) for secrets. This removes the dependency on password-store and stores secrets encrypted to the target ssh host key in the nix store. This makes the deployment more reproducible, as there is no depdency on an external repository. Since I don’t (yet) want to make all my ssh keys passwordless, I will be using age’s own keys.