diff --git a/flake.nix b/flake.nix index 5e301c6..ff6d08b 100644 --- a/flake.nix +++ b/flake.nix @@ -70,11 +70,18 @@ name = "devShell"; packages = [ just + rclone + age sops + ssh-to-age + git git-crypt gnupg + + yubikey-manager + age-plugin-yubikey ]; }; }; diff --git a/secrets/README.md b/secrets/README.md index 56eb406..92e28d4 100644 --- a/secrets/README.md +++ b/secrets/README.md @@ -66,75 +66,3 @@ sops -d secrets/system/wifi.yaml # Update .sops.yaml with new keys, then: sops updatekeys secrets/system/wifi.yaml ``` - -## Migrating to Yubikey - -### 1. Generate a new age identity on Yubikey - -```bash -# Insert Yubikey and run interactive setup -age-plugin-yubikey - -# Follow prompts: -# - Select slot (default: 1) -# - Set PIN policy (default: once per session) -# - Set touch policy (recommended: always) -# -# This generates a NEW key on the Yubikey - you will not know the private key. -# Save the identity to the keys directory: -age-plugin-yubikey --identity > src/user/config/keys/age/yubikey -``` - -The identity file only contains a *reference* to the Yubikey, not the private key. -It will be deployed to `~/.config/sops/age/keys.txt` on rebuild. - -### 2. Update .sops.yaml with Yubikey public key - -```bash -# Get the public key (age1yubikey1...) -age-plugin-yubikey --list - -# Edit .sops.yaml and replace/add the key: -vim .sops.yaml -``` - -```yaml -keys: - - &yubikey age1yubikey1q... # your Yubikey public key - -creation_rules: - - path_regex: secrets/.*\.yaml$ - key_groups: - - age: - - *yubikey -``` - -### 3. Re-key all secrets against the new key - -```bash -# This decrypts with your OLD key and re-encrypts with the NEW key -find secrets -name "*.yaml" -exec sops updatekeys {} \; -``` - -You'll need your old key available during this step. - -### 4. Remove the old age key (optional) - -```bash -# Once all secrets are re-keyed and tested: -# 1. Remove old key from .sops.yaml -# 2. Delete the old key file from the repo: -rm src/user/config/keys/age/local # or whatever your test key was named -``` - -### 5. Test decryption with Yubikey - -```bash -# Should prompt for Yubikey touch/PIN -sops -d secrets/system/wifi.yaml - -# Test a full rebuild -sudo nixos-rebuild switch --flake .#desktop -``` - -If decryption works, your migration is complete. diff --git a/system/machines/server/modules/backup/default.nix b/system/machines/server/modules/backup/default.nix index 511b332..cf02ea0 100644 --- a/system/machines/server/modules/backup/default.nix +++ b/system/machines/server/modules/backup/default.nix @@ -15,15 +15,15 @@ let set -euo pipefail TIMESTAMP=$(date +%Y%m%d-%H%M%S) - BACKUP_NAME="backup-$TIMESTAMP.tar.age" + BACKUP_NAME="backup-$TIMESTAMP.tar.gz.age" TEMP_DIR=$(mktemp -d) trap "rm -rf $TEMP_DIR" EXIT echo "Starting backup: $BACKUP_NAME" echo "Paths: ${concatStringsSep " " cfg.paths}" - export PATH="${pkgs.age-plugin-yubikey}/bin:$PATH" - ${pkgs.gnutar}/bin/tar -C / ${excludeArgs}-cf - ${concatStringsSep " " tarPaths} | \ + export PATH="${pkgs.gzip}/bin:${pkgs.age-plugin-yubikey}/bin:$PATH" + ${pkgs.gnutar}/bin/tar -C / ${excludeArgs}-czf - ${concatStringsSep " " tarPaths} | \ ${pkgs.age}/bin/age ${recipientArgs} -o "$TEMP_DIR/$BACKUP_NAME" ${pkgs.rclone}/bin/rclone --config /root/.config/rclone/rclone.conf copy "$TEMP_DIR/$BACKUP_NAME" "${cfg.destination}"