Skip to content
Snippets Groups Projects
Select Git revision
  • 24df8af363013eb8c6667b17d23cdd8eb9d58d6d
  • main default protected
  • 1-kalenderimport
  • 1.2
  • 1.1
  • 1.0
6 results

single.html

Blame
    • Forked from FS Info TU Dortmund / Öffentlichkeit / anubis
    Source project has a limited visibility.
    Code owners
    Assign users and groups as approvers for specific file changes. Learn more.
    secrets.nix 7.87 KiB 
    /*
This specifies the secrets for agenix and what *keys* they should be encrypted to.

Note: this file is *not* part of the NixOS configuration itself! It is only used by the `agenix` CLI
tool to encrypt and edit the secrets.

The meaning of the keys in the `publicKeys` list for a secret is:
- the SSH *user* keys determine which users can edit / view secrets using the `agenix` CLI
- the SSH *host* keys determine on which devices that secret can be decrypted during activation
- for secrets used via the agenix home-manager module there is no such distinction
- here only user keys make sense, home-manager doesn't have access to the host key

Or from the opposite perspective:
- to edit a secret in the CLI the user's SSH user key needs to be set for it
- to use a secret in the NixOS config itself, the SSH host key of the device that the config will be
  deployed on needs to be set for it
*/

let
  pubKeys = import res/ssh-public-keys.nix;

  keySets = {
    # default is to encrypt to main devices, not VMs, nix-on-droid or RPi's
    default = [
      pubKeys.host.melissa
      pubKeys.host.miranda
      pubKeys.host.sapphire
      pubKeys.host.obsidian
      pubKeys.host.amethyst
      pubKeys.user.melissa
      pubKeys.user.miranda
      pubKeys.user.sapphire
    ];

    # for server secrets, encrypt to server host and main users
    server = [
      pubKeys.host.sapphire
      pubKeys.user.melissa
      pubKeys.user.miranda
      pubKeys.user.sapphire
    ];

    microvmRunner = [
      pubKeys.host.microvm-runner
      pubKeys.user.melissa
      pubKeys.user.miranda
      pubKeys.user.sapphire
    ];

    # restricted secrets used only by one device, encrypt to that and main user keys for editing
    restrictedFor = device: [
      pubKeys.host."device"
      pubKeys.user.melissa
      pubKeys.user.miranda
    ];

    # default for user-only secrets used via the agenix home-manager module
    home = [
      pubKeys.user.melissa
      pubKeys.user.miranda
      pubKeys.user.sapphire
      pubKeys.user.marina
      pubKeys.user.amethyst
      pubKeys.user.obsidian
    ];
  };
in {

  /*
  General misc secrets.