bryan/nixos
0
0
Fork 0
mirror of https://github.com/itme-brain/nixos.git synced 2026-03-23 16:29:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: bryan:8f97be72f0a4eb4abf309779247f6c40025a2476
Branches Tags
bryan:master
..
compare: bryan:5bf9314b9f6bfd6fae36726c83b21b45aefc2483
Branches Tags
bryan:master

No commits in common. "8f97be72f0a4eb4abf309779247f6c40025a2476" and "5bf9314b9f6bfd6fae36726c83b21b45aefc2483" have entirely different histories.
8f97be72f0 ... 5bf9314b9f

3 changed files with 75 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

7
flake.nix
View file

@ -70,18 +70,11 @@
name = "devShell"; name = "devShell";
packages = [ packages = [
just just
rclone
age age
sops sops
ssh-to-age
git git
git-crypt git-crypt
gnupg gnupg
yubikey-manager
age-plugin-yubikey
]; ];
}; };
}; };

72
secrets/README.md
View file

@ -66,3 +66,75 @@ sops -d secrets/system/wifi.yaml
# Update .sops.yaml with new keys, then: # Update .sops.yaml with new keys, then:
sops updatekeys secrets/system/wifi.yaml sops updatekeys secrets/system/wifi.yaml
``` ```
## Migrating to Yubikey
### 1. Generate a new age identity on Yubikey
```bash
# Insert Yubikey and run interactive setup
age-plugin-yubikey
# Follow prompts:
# - Select slot (default: 1)
# - Set PIN policy (default: once per session)
# - Set touch policy (recommended: always)
#
# This generates a NEW key on the Yubikey - you will not know the private key.
# Save the identity to the keys directory:
age-plugin-yubikey --identity > src/user/config/keys/age/yubikey
```
The identity file only contains a *reference* to the Yubikey, not the private key.
It will be deployed to `~/.config/sops/age/keys.txt` on rebuild.
### 2. Update .sops.yaml with Yubikey public key
```bash
# Get the public key (age1yubikey1...)
age-plugin-yubikey --list
# Edit .sops.yaml and replace/add the key:
vim .sops.yaml
```
```yaml
keys:
- &yubikey age1yubikey1q... # your Yubikey public key
creation_rules:
- path_regex: secrets/.*\.yaml$
key_groups:
- age:
- *yubikey
```
### 3. Re-key all secrets against the new key
```bash
# This decrypts with your OLD key and re-encrypts with the NEW key
find secrets -name "*.yaml" -exec sops updatekeys {} \;
```
You'll need your old key available during this step.
### 4. Remove the old age key (optional)
```bash
# Once all secrets are re-keyed and tested:
# 1. Remove old key from .sops.yaml
# 2. Delete the old key file from the repo:
rm src/user/config/keys/age/local # or whatever your test key was named
```
### 5. Test decryption with Yubikey
```bash
# Should prompt for Yubikey touch/PIN
sops -d secrets/system/wifi.yaml
# Test a full rebuild
sudo nixos-rebuild switch --flake .#desktop
```
If decryption works, your migration is complete.

6
system/machines/server/modules/backup/default.nix
View file

@ -15,15 +15,15 @@ let
set -euo pipefail set -euo pipefail
TIMESTAMP=$(date +%Y%m%d-%H%M%S) TIMESTAMP=$(date +%Y%m%d-%H%M%S)
BACKUP_NAME="backup-$TIMESTAMP.tar.gz.age" BACKUP_NAME="backup-$TIMESTAMP.tar.age"
TEMP_DIR=$(mktemp -d) TEMP_DIR=$(mktemp -d)
trap "rm -rf $TEMP_DIR" EXIT trap "rm -rf $TEMP_DIR" EXIT
echo "Starting backup: $BACKUP_NAME" echo "Starting backup: $BACKUP_NAME"
echo "Paths: ${concatStringsSep " " cfg.paths}" echo "Paths: ${concatStringsSep " " cfg.paths}"
export PATH="${pkgs.gzip}/bin:${pkgs.age-plugin-yubikey}/bin:$PATH" export PATH="${pkgs.age-plugin-yubikey}/bin:$PATH"
${pkgs.gnutar}/bin/tar -C / ${excludeArgs}-czf - ${concatStringsSep " " tarPaths} | \ ${pkgs.gnutar}/bin/tar -C / ${excludeArgs}-cf - ${concatStringsSep " " tarPaths} | \
${pkgs.age}/bin/age ${recipientArgs} -o "$TEMP_DIR/$BACKUP_NAME" ${pkgs.age}/bin/age ${recipientArgs} -o "$TEMP_DIR/$BACKUP_NAME"
${pkgs.rclone}/bin/rclone --config /root/.config/rclone/rclone.conf copy "$TEMP_DIR/$BACKUP_NAME" "${cfg.destination}" ${pkgs.rclone}/bin/rclone --config /root/.config/rclone/rclone.conf copy "$TEMP_DIR/$BACKUP_NAME" "${cfg.destination}"