encrypt secrets with all machines' and admins' public keys

closes #32
This commit is contained in:
Pim Kunis 2024-01-08 21:46:40 +01:00
parent 0d150b3236
commit b189d061cb
11 changed files with 67 additions and 49 deletions

Binary file not shown.

Binary file not shown.

View file

@ -1,6 +1,15 @@
age-encryption.org/v1
-> ssh-ed25519 aqswPA BWfWJ0Detm+1l0tYnjR9n5rIUBfdHb/wTnZnGoYx6SU
gp5vcIXtJpF6KJ0cHJ6GRpHQvxi7ij//1LH0afFoRuo
--- exwOM8D5yMcDFp0uzRnbD6TWSgs12WmZo7sKlnHYOwY
4Öš¾0
e(+×}²½f%Àã^ kÀbד{WèŒôVüPän­×“ù:…Å6ý£s
-> ssh-ed25519 UwNSRQ Lr6HfHB1pQVAVESUkR1a1ie8o9cTtCa0LA4y20UvfRU
8X+VZUfk2oRrM+A4pZC/6yyexo2Kr8MO7isiXPsnOJk
-> ssh-ed25519 JJ7S4A fngT1OkV0pfig7UZ4vA8CWFDWc//xn2KWRsk1+EI0Ac
9J+I87tFasCug4rVaXJKNKzxr450YtZUypSTmwf/r7g
-> ssh-ed25519 aqswPA I/RtBp+6CgMOPs41nbd8CqBgpgch8ixRGbzacXSDKRE
adBD/lskyXK/QU+v/OlQ1wQK7PkhALpdxgHUc1i+jcU
-> ssh-ed25519 LAPUww JtDnT4+NqLMBc+LpQSh0eQnSyXzJOHHbaZFNQmxIdC0
/DjWq9XUAH3xZvU1PlB7Q70LQ0x9SRMmaSYQ+DyQZEM
-> ssh-ed25519 vBZj5g 4YBFh5e32ZHr8byvd4vbZ9zljHO4FTrJGhsZiH//KVw
iA+foYHtgt2PjBG9yfBWNLeygiIbW3MsbUQdVWgyrno
-> ssh-ed25519 QP0PgA urlidySF5ZG9ILjdPuJPX6V/aDIAYzwBVd+XopDF5UA
NL/RxiKPRn+uZW37jJKLOHCaktuvzm0SIwcMmBgF5CY
--- aeaUWpBxSTjrcDDQa6Zk2dcdvhsdqs22JlvkduILpqE
â噧ň˛ ŕˇ)Š„Ĺçäż7btˇ­­íu+Ő<>=ĽŻMŁÁlěMúzsŐÚ8đ… 

View file

@ -1,5 +1,15 @@
age-encryption.org/v1
-> ssh-ed25519 aqswPA nsjKPakYuFVxfbJkPKnhqPytMz07KIT32xgJpiuaRD0
fv+HZdDb1Evy0LIA5sFMFx+KUbAF7jJojrQXMSSmNAo
--- zJOYXheC2OupvfQNtDfcUCkVMg3TqJQEFjTfAwyi/Pw
¼¬Î°‡<EFBFBD>¨×¶†¡£‰¹maåJ^¤ˆ•€UZÂ>¬f±ââ÷@¨•¤‰÷òmÎG¨`ðrOY2‰#‡ÜŽ¼oΙþ‡= åSƒî_.ô¼MÅa3ŸL<C5B8>ÉÈüçcB·t§ÜËZ× Žç5 c•ä0Á=ŽLK¢¥ +!cu<63>t«Rƒà¥U2îŸ6½ßª½)<13>ƒ¯fPÚ³AU«¤
-> ssh-ed25519 UwNSRQ 4tVNE9qMbAvdgvUV/lllntSWjschSe3gY8nknp1DgQk
8nQh/bM1tkSyPd0j5Tn9DeUT6V4p8Fdk3GiGZUwoBwk
-> ssh-ed25519 JJ7S4A QHRi+zGVWfa6+l/gpUC1SyCSrDjMRk89MAYUVmdINWQ
RstWCyCv2sSQCqgcFT6Djza7gkztlFf3af1EvNQTg6k
-> ssh-ed25519 aqswPA BSwMu/VwsKqpHaqWbP7TNVE3kNWeGV1xdj2AhIhJOQE
1QwREnDoFi5UTd20dAbJEVeA9lp3R6746PTAyF5KRqQ
-> ssh-ed25519 LAPUww zFWdRmb38deepDWtFIlQYFA205jKrM6T4iU6nURnBU4
gxA0pT9DKQMXMSJjQ+fFp7K6rhwHx90pXwFcBuc1ptI
-> ssh-ed25519 vBZj5g uYJyvL//qPFg1QXgvacb+0Z0+4NMTXCg5dddlVDJJDQ
2DqHQ6FIw8oCXbkZPl5fLmUVmXzBMLe9wFJsPSEDoZQ
-> ssh-ed25519 QP0PgA +CHjn/rPhNrsXSVMFgoyhSdhn8k6BWS58XSDwjipi0U
DGVkPVEMzPZDRPygjIxX4VWv9wbknmrMXFMAXnWVI1Q
--- GZXaTJpDKi0WIHeOzamI/MygV50iPVV94UFyqPMd1GA
%ƒXQcZŠXZâ÷´¥¦ƒÇÿö#_¤ Û{L<>¥fŠ×åOc¡EsæõÂ"ãG:ÂM D}£{\.äÛÙ†øÐû Ôý~Û6† ,|C•v0ºŠ*Rr74ñ{ŠußásÝZ=s}YH:æÀZ¤Þ…&(­vR„<52>ËMkqãàÈî_PEKàMÆ"?kÌ\¨­¶Ö—³êZ¬P

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

View file

@ -1,44 +1,43 @@
# TODO: Just encrypt each file with all hosts' public keys (plus our personal public keys) and deploy when demanded.
let
pkgs = import <nixpkgs> { };
lib = pkgs.lib;
secrets = {
jefke = {
publicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a pim@x260"
];
encryptedFiles = [
"jefke_host_ed25519.age"
"jefke_user_ed25519.age"
"postgresql_server.key.age"
];
};
atlas = {
publicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ1OGe8jLyc+72SFUnW4FOKbpqHs7Mym85ESBN4HWV7 pim@x260"
];
encryptedFiles = [
"atlas_host_ed25519.age"
"atlas_user_ed25519.age"
];
};
lewis = {
publicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5lZjsqS6C50WO8p08TY7Fg8rqQH04EkpDTxCRGtR7a pim@x260"
];
encryptedFiles = [
"lewis_host_ed25519.age"
"lewis_user_ed25519.age"
"database_passwords.env.age"
"borg_passphrase.age"
"ec2_borg_server.pem.age"
];
};
};
publicKeyURLs = [
"https://github.com/pizzapim.keys"
"https://github.com/pizzaniels.keys"
];
encryptedFileNames = [
"jefke_host_ed25519.age"
"jefke_user_ed25519.age"
"postgresql_server.key.age"
"atlas_host_ed25519.age"
"atlas_user_ed25519.age"
"lewis_host_ed25519.age"
"lewis_user_ed25519.age"
"database_passwords.env.age"
"borg_passphrase.age"
"ec2_borg_server.pem.age"
];
machinePublicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a root@jefke.hyp"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ1OGe8jLyc+72SFUnW4FOKbpqHs7Mym85ESBN4HWV7 root@atlas.hyp"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5lZjsqS6C50WO8p08TY7Fg8rqQH04EkpDTxCRGtR7a root@lewis.hyp"
];
fetchPublicKeys = url:
let
publicKeysFile = builtins.fetchurl { inherit url; };
publicKeysFileContents = lib.strings.fileContents publicKeysFile;
in
lib.strings.splitString "\n" publicKeysFileContents;
adminPublicKeys = lib.flatten (builtins.map fetchPublicKeys publicKeyURLs);
allPublicKeys = lib.flatten [ machinePublicKeys adminPublicKeys ];
publicKeysForEncryptedFileName = encryptedFileName:
{ "${encryptedFileName}".publicKeys = allPublicKeys; };
in
lib.attrsets.mergeAttrsList (builtins.map
({ publicKeys, encryptedFiles }:
lib.attrsets.mergeAttrsList (builtins.map
(encryptedFile: { "${encryptedFile}" = { inherit publicKeys; }; })
encryptedFiles))
(lib.attrsets.attrValues secrets))
lib.attrsets.mergeAttrsList (builtins.map publicKeysForEncryptedFileName encryptedFileNames)