agenix
agenix copied to clipboard
Recommendations for secrets needed during a NixOS install?
I'm writing a NixOS iso (USB installer) to batch-install NixOS on dozens of machines. The installer needs access to some secrets, and I'd like to be able to use agenix
to manage them.
My current idea is to ssh-keygen
a key-pair for the installer to use, and the use following NixOS configuration:
# secrets.nix
let
admin = "ssh-ed25519 foo admin@place";
installer = "ssh-ed25519 bar root@nixos"; # public key from `ssh-keygen -t ed25519`
in {
"secret.age".publicKeys = [ admin installer ];
"id_ed25519.age".publicKeys = [ admin installer ]; # private key from `ssh-keygen -t ed25519`
}
# installer.nix
isoFor { # isoFor is just a function that creates ./result/iso/*.iso
imports = [];
services.openssh.knownHosts.root.publicKey = "ssh-ed25519 bar root@nixos"; # same as `installer` in secrets.nix
age.secrets.id_ed25519 = {
file = ./path/to/id_ed25519.age;
path = "/etc/ssh/id_ed25519";
};
}
Any recommendations? I'm trying to think through the security implications. Has anyone else solved this another way?
How would it decrypt id_ed25519.age
though? It would need the private key to do it, but it hasn't been decrypted yet.
ugh circular dependencies! :man_facepalming:
I'm open to alternatives if you have any ideas?
Maybe this?
- do one manual and minimal NixOS install onto the flash drive, using full-disk encryption
- encrypt the secrets based on the key on that flash drive,
- deploy the additional config to the flash drive.
- make copies of the flash drive as appropriate.
- If you need to make new versions, you repeat steps 3 and 4.
ugh circular dependencies! man_facepalming
I'm open to alternatives if you have any ideas?
I get my keys from a private repo, though that only works (right now, see #45) if you need it AFTER boot.