encrypt secrets with all machines' and admins' public keys

closes #32
2024-01-08 21:46:40 +01:00 · 2024-01-08 21:46:40 +01:00 · b189d061cb
commit b189d061cb
parent 0d150b3236
11 changed files with 67 additions and 49 deletions
--- a/nixos/secrets/atlas_host_ed25519.age
+++ b/nixos/secrets/atlas_host_ed25519.age
--- a/nixos/secrets/atlas_user_ed25519.age
+++ b/nixos/secrets/atlas_user_ed25519.age
--- a/nixos/secrets/borg_passphrase.age
+++ b/nixos/secrets/borg_passphrase.age
@ -1,6 +1,15 @@
 age-encryption.org/v1
-> ssh-ed25519 aqswPA BWfWJ0Detm+1l0tYnjR9n5rIUBfdHb/wTnZnGoYx6SU
+-> ssh-ed25519 UwNSRQ Lr6HfHB1pQVAVESUkR1a1ie8o9cTtCa0LA4y20UvfRU
-gp5vcIXtJpF6KJ0cHJ6GRpHQvxi7ij//1LH0afFoRuo
+8X+VZUfk2oRrM+A4pZC/6yyexo2Kr8MO7isiXPsnOJk
--- exwOM8D5yMcDFp0uzRnbD6TWSgs12WmZo7sKlnHYOwY
+-> ssh-ed25519 JJ7S4A fngT1OkV0pfig7UZ4vA8CWFDWc//xn2KWRsk1+EI0Ac
-4Öš¾0
+9J+I87tFasCug4rVaXJKNKzxr450YtZUypSTmwf/r7g
-e(+×}²½f%Àã^‘ kÀb×“{WèŒôVüPän×“ù:…Å6ý£s
+-> ssh-ed25519 aqswPA I/RtBp+6CgMOPs41nbd8CqBgpgch8ixRGbzacXSDKRE
 adBD/lskyXK/QU+v/OlQ1wQK7PkhALpdxgHUc1i+jcU
 -> ssh-ed25519 LAPUww JtDnT4+NqLMBc+LpQSh0eQnSyXzJOHHbaZFNQmxIdC0
 /DjWq9XUAH3xZvU1PlB7Q70LQ0x9SRMmaSYQ+DyQZEM
 -> ssh-ed25519 vBZj5g 4YBFh5e32ZHr8byvd4vbZ9zljHO4FTrJGhsZiH//KVw
 iA+foYHtgt2PjBG9yfBWNLeygiIbW3MsbUQdVWgyrno
 -> ssh-ed25519 QP0PgA urlidySF5ZG9ILjdPuJPX6V/aDIAYzwBVd+XopDF5UA
 NL/RxiKPRn+uZW37jJKLOHCaktuvzm0SIwcMmBgF5CY
 --- aeaUWpBxSTjrcDDQa6Zk2dcdvhsdqs22JlvkduILpqE
 âĺ™§ňQú˛ŕˇ)Š„Ĺçäż7btˇíu+Ő<>=ĽŻMŁÁlěMúzsŐÚ8đ…	a˙
--- a/nixos/secrets/database_passwords.env.age
+++ b/nixos/secrets/database_passwords.env.age
@ -1,5 +1,15 @@
 age-encryption.org/v1
-> ssh-ed25519 aqswPA nsjKPakYuFVxfbJkPKnhqPytMz07KIT32xgJpiuaRD0
+-> ssh-ed25519 UwNSRQ 4tVNE9qMbAvdgvUV/lllntSWjschSe3gY8nknp1DgQk
-fv+HZdDb1Evy0LIA5sFMFx+KUbAF7jJojrQXMSSmNAo
+8nQh/bM1tkSyPd0j5Tn9DeUT6V4p8Fdk3GiGZUwoBwk
--- zJOYXheC2OupvfQNtDfcUCkVMg3TqJQEFjTfAwyi/Pw
+-> ssh-ed25519 JJ7S4A QHRi+zGVWfa6+l/gpUC1SyCSrDjMRk89MAYUVmdINWQ
-‚¼¬Î°‡<EFBFBD>¨×¶†¡£‰¹maåJ^¤ˆ•€UZÂ>¬f±ââ÷@¨•¤‰÷òmÎG¨`ðrOY2‰#‡ÜŽ¼oÎ™þ‡=	åSƒî_.ô¼MÅa3›HŸ–ŸL<C5B8>ÉÈüçcB·t§ÜËZ× Žç5 c•ä0Á=ŽLK¢¥‹ +!cu<63>t«Rƒà¥U2îŸ6½ßª½)<13>ƒ¯fPÚ³AU«‘¤
+RstWCyCv2sSQCqgcFT6Djza7gkztlFf3af1EvNQTg6k
 -> ssh-ed25519 aqswPA BSwMu/VwsKqpHaqWbP7TNVE3kNWeGV1xdj2AhIhJOQE
 1QwREnDoFi5UTd20dAbJEVeA9lp3R6746PTAyF5KRqQ
 -> ssh-ed25519 LAPUww zFWdRmb38deepDWtFIlQYFA205jKrM6T4iU6nURnBU4
 gxA0pT9DKQMXMSJjQ+fFp7K6rhwHx90pXwFcBuc1ptI
 -> ssh-ed25519 vBZj5g uYJyvL//qPFg1QXgvacb+0Z0+4NMTXCg5dddlVDJJDQ
 2DqHQ6FIw8oCXbkZPl5fLmUVmXzBMLe9wFJsPSEDoZQ
 -> ssh-ed25519 QP0PgA +CHjn/rPhNrsXSVMFgoyhSdhn8k6BWS58XSDwjipi0U
 DGVkPVEMzPZDRPygjIxX4VWv9wbknmrMXFMAXnWVI1Q
 --- GZXaTJpDKi0WIHeOzamI/MygV50iPVV94UFyqPMd1GA
 %ƒXQcZŠXZâ÷´¥¦ƒÇÿö\â–iÏ#_¤Û{L<>¥fŠ×åOc¡EsæõÂ"ãG:ÂM	D}£{\.äÛÙ†øÐû	Ôý~Û6†,|C•v0ºŠ*Rr74ñ{Š–ußásÝZ=s}YH:æÀZ¤Þ…&(vR„<52>ËMkqãàÈî_PEKàMÆ"?kÌ\¨¶Ö—³êZ’¬P
--- a/nixos/secrets/ec2_borg_server.pem.age
+++ b/nixos/secrets/ec2_borg_server.pem.age
--- a/nixos/secrets/jefke_host_ed25519.age
+++ b/nixos/secrets/jefke_host_ed25519.age
--- a/nixos/secrets/jefke_user_ed25519.age
+++ b/nixos/secrets/jefke_user_ed25519.age
--- a/nixos/secrets/lewis_host_ed25519.age
+++ b/nixos/secrets/lewis_host_ed25519.age
--- a/nixos/secrets/lewis_user_ed25519.age
+++ b/nixos/secrets/lewis_user_ed25519.age
--- a/nixos/secrets/postgresql_server.key.age
+++ b/nixos/secrets/postgresql_server.key.age
--- a/nixos/secrets/secrets.nix
+++ b/nixos/secrets/secrets.nix
@ -1,44 +1,43 @@
 # TODO: Just encrypt each file with all hosts' public keys (plus our personal public keys) and deploy when demanded.
 let
  pkgs = import <nixpkgs> { };
  lib = pkgs.lib;
-  secrets = {
+
-    jefke = {
+  publicKeyURLs = [
-      publicKeys = [
+    "https://github.com/pizzapim.keys"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a pim@x260"
+    "https://github.com/pizzaniels.keys"
  ];
-      encryptedFiles = [
+
  encryptedFileNames = [
    "jefke_host_ed25519.age"
    "jefke_user_ed25519.age"
    "postgresql_server.key.age"
      ];
    };
    atlas = {
      publicKeys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ1OGe8jLyc+72SFUnW4FOKbpqHs7Mym85ESBN4HWV7 pim@x260"
      ];
      encryptedFiles = [
    "atlas_host_ed25519.age"
    "atlas_user_ed25519.age"
      ];
    };
    lewis = {
      publicKeys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5lZjsqS6C50WO8p08TY7Fg8rqQH04EkpDTxCRGtR7a pim@x260"
      ];
      encryptedFiles = [
    "lewis_host_ed25519.age"
    "lewis_user_ed25519.age"
    "database_passwords.env.age"
    "borg_passphrase.age"
    "ec2_borg_server.pem.age"
  ];
-    };
+
-  };
+  machinePublicKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJUSH2IQg8Y/CCcej7J6oe4co++6HlDo1MYDCR3gV3a root@jefke.hyp"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKZ1OGe8jLyc+72SFUnW4FOKbpqHs7Mym85ESBN4HWV7 root@atlas.hyp"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5lZjsqS6C50WO8p08TY7Fg8rqQH04EkpDTxCRGtR7a root@lewis.hyp"
  ];
  fetchPublicKeys = url:
    let
      publicKeysFile = builtins.fetchurl { inherit url; };
      publicKeysFileContents = lib.strings.fileContents publicKeysFile;
    in
-lib.attrsets.mergeAttrsList (builtins.map
+    lib.strings.splitString "\n" publicKeysFileContents;
-  ({ publicKeys, encryptedFiles }:
+
-  lib.attrsets.mergeAttrsList (builtins.map
+  adminPublicKeys = lib.flatten (builtins.map fetchPublicKeys publicKeyURLs);
-    (encryptedFile: { "${encryptedFile}" = { inherit publicKeys; }; })
+
-    encryptedFiles))
+  allPublicKeys = lib.flatten [ machinePublicKeys adminPublicKeys ];
-  (lib.attrsets.attrValues secrets))
+
  publicKeysForEncryptedFileName = encryptedFileName:
    { "${encryptedFileName}".publicKeys = allPublicKeys; };
 in
 lib.attrsets.mergeAttrsList (builtins.map publicKeysForEncryptedFileName encryptedFileNames)