From 19f05aec9f37bc53ccf373cb48ab14ff33a2387b Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 30 Nov 2024 10:47:40 +0100 Subject: [PATCH] age with yubikey --- authorizedKeys.nix | 1 + common/tooling/git.nix | 82 +++++++++--------- common/tooling/security.nix | 24 +++++- flake.lock | 98 +++++++++++++++++++++- flake.nix | 2 +- secrets/nextcloud_pass.age | 33 +++++--- secrets/secrets.nix | 2 + secrets/yubikey-identity.txt | 7 ++ specific/grimm-nixos-ssd/configuration.nix | 2 +- sway/default.nix | 2 +- 10 files changed, 196 insertions(+), 57 deletions(-) create mode 100644 secrets/yubikey-identity.txt diff --git a/authorizedKeys.nix b/authorizedKeys.nix index 55144a6..764d7ec 100644 --- a/authorizedKeys.nix +++ b/authorizedKeys.nix @@ -4,4 +4,5 @@ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClLZhya2A7SoRSX2DNNM6OWgnGhtOFUor/WdyY59L0l6u5tEo9VyX5bCR84eo+uN4jyahSiGD1WC3RGIoNtHuSkKPxr0rqQhlbuyxraHGj7hOLhcGWRd2eIdsntbma7uPsn4zC0skKjpVNR7PU4LfSxti0gBhgq6uQhMtlfywwJshmwt55q7oT/zC449Uz2vyviy7sQ53R9YoOWEjB/+vU8jHxGlqLatXhOGKlBtrQxKm8PZ6jBYxAC6sGA4APIHWC3KC0S0X7wlmi42Dx9bbBm0rUjy095vRZ22fkE8x9OSTKDY/vFTLw5vwVMa8dACfA1Kc0+EpgOK77lZddeTvD grimmauld.de" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos" + (builtins.readFile ./ssh/id_ed25519_sk.pub ) ] diff --git a/common/tooling/git.nix b/common/tooling/git.nix index 28b3e8b..f14b0d8 100644 --- a/common/tooling/git.nix +++ b/common/tooling/git.nix @@ -29,49 +29,51 @@ in programs.git = { enable = true; lfs.enable = true; - config = let - key_file = ../../ssh/id_ed25519_sk.pub; - allowed_signers_file = pkgs.writeText "allowed_signers" ''${tooling.git_email} namespaces="git" ${readFile key_file}''; - in { + config = + let + key_file = ../../ssh/id_ed25519_sk.pub; + allowed_signers_file = pkgs.writeText "allowed_signers" ''${tooling.git_email} namespaces="git" ${readFile key_file}''; + in + { - init.defaultBranch = "main"; - credential.username = tooling.git_user; - gpg.format = "ssh"; - user.signingkey = toString key_file; - gpg.ssh.allowedSignersFile = toString allowed_signers_file; - user.name = tooling.git_user; - user.email = tooling.git_email; - push.autoSetupRemote = true; - core.autocrlf = "input"; - commit.gpgsign = true; - safe.directory = "/etc/nixos"; - core.excludesfile = ( - pkgs.writeText ".gitignore" '' - .idea - .obsidian - *~ - result - '' - ); - pull.rebase = false; - include.path = "${pkgs.delta.src}/themes.gitconfig"; + init.defaultBranch = "main"; + credential.username = tooling.git_user; + gpg.format = "ssh"; + user.signingkey = toString key_file; + gpg.ssh.allowedSignersFile = toString allowed_signers_file; + user.name = tooling.git_user; + user.email = tooling.git_email; + push.autoSetupRemote = true; + core.autocrlf = "input"; + commit.gpgsign = true; + safe.directory = "/etc/nixos"; + core.excludesfile = ( + pkgs.writeText ".gitignore" '' + .idea + .obsidian + *~ + result + '' + ); + pull.rebase = false; + include.path = "${pkgs.delta.src}/themes.gitconfig"; - core.pager = "delta"; - interactive.diffFilter = "delta --color-only"; - delta = { - navigate = true; - features = "mantis-shrimp"; + core.pager = "delta"; + interactive.diffFilter = "delta --color-only"; + delta = { + navigate = true; + features = "mantis-shrimp"; + }; + + merge.conflictstyle = "diff3"; + diff.colorMoved = "default"; + + alias = { + pfusch = "push --force-with-lease --force-if-includes"; + fuck = "reset HEAD~1"; + fixup = "commit --fixup"; + }; }; - - merge.conflictstyle = "diff3"; - diff.colorMoved = "default"; - - alias = { - pfusch = "push --force-with-lease --force-if-includes"; - fuck = "reset HEAD~1"; - fixup = "commit --fixup"; - }; - }; }; }; diff --git a/common/tooling/security.nix b/common/tooling/security.nix index 70f36ec..596c533 100644 --- a/common/tooling/security.nix +++ b/common/tooling/security.nix @@ -2,6 +2,8 @@ pkgs, config, lib, + inputs, + system, ... }: let @@ -15,6 +17,8 @@ let attrNames mkEnableOption ; + + age_plugins = with pkgs; [ age-plugin-yubikey ]; in { config = mkIf enable { @@ -40,18 +44,36 @@ in } ]; + services.pcscd.enable = true; + age.ageBin = + let + rage_wrapped = pkgs.symlinkJoin { + name = "rage"; + paths = [ pkgs.rage ]; + buildInputs = [ pkgs.makeWrapper ]; + postBuild = '' + wrapProgram $out/bin/rage \ + --prefix PATH : ${lib.makeBinPath age_plugins} + ''; + }; + in + lib.getExe' rage_wrapped "rage"; + + programs.yubikey-touch-detector.enable = graphical; + environment.systemPackages = (with pkgs; [ mkpasswd gnupg libsecret vulnix - # agenix + (inputs.agenix.packages."${system}".default.override { plugins = age_plugins; }) yubikey-manager yubico-pam yubikey-personalization ]) + ++ age_plugins ++ (optionals (tooling.enable && tooling.pass) [ pkgs.pass (pkgs.writeShellScriptBin "passw" "pass $@") diff --git a/flake.lock b/flake.lock index 76630eb..15836fd 100644 --- a/flake.lock +++ b/flake.lock @@ -45,10 +45,35 @@ } }, "agenix": { + "inputs": { + "agenix": "agenix_2", + "crane": "crane", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay_2" + }, + "locked": { + "lastModified": 1726755133, + "narHash": "sha256-03XIEjHeZEjHXctsXYUB+ZLQmM0WuhR6qWQjwekFk/M=", + "owner": "yaxitech", + "repo": "ragenix", + "rev": "687ee92114bce9c4724376cf6b21235abe880bfa", + "type": "github" + }, + "original": { + "owner": "yaxitech", + "repo": "ragenix", + "type": "github" + } + }, + "agenix_2": { "inputs": { "darwin": "darwin", "home-manager": "home-manager", "nixpkgs": [ + "agenix", "nixpkgs" ], "systems": "systems" @@ -107,9 +132,25 @@ "type": "github" } }, + "crane": { + "locked": { + "lastModified": 1732906089, + "narHash": "sha256-NvYSSiKsC0rqn9yY0a9zglLXrFp92EwKhTFZC38voCQ=", + "owner": "ipetkov", + "repo": "crane", + "rev": "9ed3180f45c2d1499e5af98c4ab7ffee8e886f5f", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ + "agenix", "agenix", "nixpkgs" ] @@ -191,6 +232,24 @@ "url": "https://flakehub.com/f/DeterminateSystems/flake-schemas/%3D0.1.5.tar.gz" } }, + "flake-utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "gitignore": { "inputs": { "nixpkgs": [ @@ -216,6 +275,7 @@ "home-manager": { "inputs": { "nixpkgs": [ + "agenix", "agenix", "nixpkgs" ] @@ -283,7 +343,7 @@ "nixpkgs-update", "nixpkgs" ], - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1710694589, @@ -542,6 +602,27 @@ "type": "github" } }, + "rust-overlay_2": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1732933841, + "narHash": "sha256-dge02pUSe2QeC/B3PriA0R8eAX+EU3aDoXj9FcS3XDw=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "c65e91d4a33abc3bc4a892d3c5b5b378bad64ea1", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -572,6 +653,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index e5625c2..568c31e 100644 --- a/flake.nix +++ b/flake.nix @@ -11,7 +11,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; agenix = { - url = "github:ryantm/agenix"; + url = "github:yaxitech/ragenix"; inputs.nixpkgs.follows = "nixpkgs"; }; nixos-mailserver = { diff --git a/secrets/nextcloud_pass.age b/secrets/nextcloud_pass.age index a72ab77..191a7cd 100644 --- a/secrets/nextcloud_pass.age +++ b/secrets/nextcloud_pass.age @@ -1,12 +1,21 @@ -age-encryption.org/v1 --> ssh-rsa skhaxw -jJVp7UZ5GPCU9072EIGSp1cTrD4blUhuVox94VsdBJDcuhAfiBtyxq80795wl3t5 -z/IjGIJZfnwTD0xsVDN3MgwKvS3RvhLSBKzTmThcMjBpdf04w5Qs3bT1t3oVdl/W -w2MuJBLeWJnZnEN2vpBvGLpKYmvdVlcM4eMgeBDN0bHQUKgIefE5YwHMkn8EiNOo -eYkl7XUUlDGRjGFi34LKiuUWRw2gXv732YsX3awQkC4EXSbshkudRDXG/mFBx7vO -neOaBJR+tsyGV7XQA6p1jcXBQpEi7ctg3aN6wRUnZCyt+JsHhJi3O12Yku8JxB+F -ac9BSp0ivq/1izXM4dV6+A --> ssh-ed25519 RbssYw 6IaH4azVjA+/8AzOE4syrepqZHm0FAeOxK4rkhKXHE8 -uN2saodZfJvZMyZLWLaibqnmQTTplTNIXOg4BwxZvN8 ---- IxnIgYAbNLV9/lBsaS7fdTQyDfk/6gJDMW+qVRpbwVw -k["c: @-Y=l,ZVG%i9 \ No newline at end of file +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2Egc2toYXh3CkZvNHRCU3Mz +d2dHZTRGYnQ5aWdxSDNxdVpYcnQ5a3VOcmZ2RHVHQ01BUmZ3dHJlVWxpZ0tIYm4z +MW9ZR2hnc0kKYVVScElPcE1xRGdadTF0OHhMS0l2OFpEM0V5dEhiUHc2ZHV3ajBG +OWJLWmtrTVFJSWxSOUtWYk9tMm1Cb3hmYgpXeVMxWUx3NTQ5M2NFZzdXdVBRZktL +Z0paZmVpbEJDeW5SQzJHRi96RFZuSEFGR3cvUHR3Tml1cEVSdVhCL0Q4CjFXaUxK +YjVVMnFtdzgvU0Y0OEdOOVoraW9Vb3g0aWU5SHBMbzkvRmR1Vk5vNTJhRFo2a1RP +SEM3WkNvK09lZ0wKOHp6VisvT3BoejFkNVFNUFRtbHZaQnRpQitOVi9sam1nSUlw +WVVrMy9aekNIMTdJdzNHY0piK0xvRWxEUW9XWgpnV3IvWFJWWm9yNGpOR0tzSzN4 +Y3Z3Ci0+IHNzaC1lZDI1NTE5IFJic3NZdyBYcHExZUkyV2tjbnJiUkdOZFZ0eGtj +RzJ4WWFFY3d3OU5jZGpvdzE1UUVzCktZdG9BeUJ3V1dyZ2ptSXBxTk5LNkYxOGRk +SEd4SXlwNzcySWI5WUY5bm8KLT4gcGl2LXAyNTYgNStEZmRnIEE5NmJJMGd4THVF +akhHV2J2Ykh3RnlqUWhScVhQWWNEa2NURHVibEFJYWRuCmZUR0VBbFU2MVY3MXE4 +QWNzblF2WEVpWlB4c0JoaXlRRkpWWVNBcDlvWmcKLT4gJFZzJy8tZ3JlYXNlIEBJ +IHZbaiVlcCdzIC8uWSNxJyAyR0ZCSkw3CmdZa1d6RE1aMnRWczVvaXEvZmVlZng3 +WVJ5eGxjZVBqbU5hYTE3dFE2aTNpZ2hJS0Zydzl6V0JsVGhVajNGeWMKSmlSemNi +eFRNWkpCT2l1bjhKeEhyajBOSExteHdpTTZFYVFiRlE4aEh3TWQxaUZLbCtpeXZL +RG4KLS0tIHArS3RoaHp5OXUyK2pkS1g4ak1meXp4THJMTVljZGU2OE9aeXY3M0VE +L1UK89ztHzsKK4tXOn8S9yjuqFYiNSCY3D5LqwXohNiWOV1Bdwh/xCzbXgl3nMol +rBCL +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index b97d1fb..484edc1 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,6 +1,7 @@ let laptop_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCy7X5ByG4/9y2XkQSnXcpMGnV5WPGUd+B6FaYCDNmPQ7xIZEteS+kCpu9oiMP6C/H/FT+i9DZvCflkzgdFAyujYLKRYaZbZ3K6F60qN0rkJ0z/ZO5c6rqwIwR6BEoB7dq5inkyH9fZ8/SI+PXxELmeWF9ehT7kkQC+o9Ujpcjd7ZuZllbAz4UQZFRbbpwdVJCEDenu9/63yuYbvMupgGk0edaTiFT0Q9MSzs/3pNP8xlAxmmZ3HzSjeF7gUzBF7CaIroTeguiUjSVybUEx48P8fy878t7dUZf4anEno9MS0B3aqfZvCKuuPdAUdeBfCbFHRqN7GuCylFIXGPe95Mxl grimmauld@grimmauld-nixos"; laptop_pub_ed = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhM1Fk5ix4OZAdlfCxL891KxeEKpyIFrP5yYkC9mg7E grimmauld@grimmauld-nixos"; + yubi = "age1yubikey1qghu93392cf93jzpyqmwhf005xxkrzf0rv20gyx652lyhkxjznyfw7w8j0s"; # obtained with `ssh-keyscan [ip]` contabo_nix_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCsCsjhJleQCBm0gwnUj5R7zewC0SoRvth1qhXtUCeWM3KHkX+CjiHvVaHs+ftYE9uCe5jwVMB+b4UPkNU8EfQeL99iOYtkcn+fEQqjUJe/x/Pn0NxfS1DCvFpI6s3485ysDmagi640XN9S+eIiiMZIqWTsIlUtkEwGF0wuv+xqzbBOlUtIkL2AMpMeFCFovOcpu2JwEAIpDUiW+FanAFImw6rvNmpAtaaFGheYOGJwnpVfdaIeRPqEN3fqtIRBIQVgxt25BGYX83vaIH3Y/OaEKMGUa/4Fe/PRpGJyhCtdae6kcVfx57hs0e7/HezjgfS90HTu2cy6BrJOvGUspCjCbdElddfboE9wtBeNYsgjUOdU926m2M1tTn7Ex6ZMOQRKRlVFac6Yo+CedRTe4u6lkrWcsDdmnajel7uxoW8VMEre/CBCtK+ZlGaDwJjIVNCn7J3KZBKeaB/t/1iSr7/buaXYh5VV1Q0gv0mtvx+D7YLngaTv3sLFpLV8Wk1mgXt9R2hHxcRBKGJYx5RWa8aMHK62RP1GRc5yCzREj2Mc5qUJyd8oirnQYms/BsaDybUJde9IL4REeMzIBYyi/MG/+OAIUSAtdYygABWco+Swv4jP52UODHikcmyejHdFhRngsb4IYzGZXbS5pobkCyqCMJ20v5BG3WNFmujAlXRw=="; @@ -8,6 +9,7 @@ in { "nextcloud_pass.age".publicKeys = [ laptop_pub + yubi laptop_pub_ed ]; diff --git a/secrets/yubikey-identity.txt b/secrets/yubikey-identity.txt new file mode 100644 index 0000000..5887496 --- /dev/null +++ b/secrets/yubikey-identity.txt @@ -0,0 +1,7 @@ +# Serial: 26681512, Slot: 1 +# Name: age identity e7e0df76 +# Created: Sat, 30 Nov 2024 09:42:11 +0000 +# PIN policy: Never (A PIN is NOT required to decrypt) +# Touch policy: Never (A physical touch is NOT required to decrypt) +# Recipient: age1yubikey1qghu93392cf93jzpyqmwhf005xxkrzf0rv20gyx652lyhkxjznyfw7w8j0s +AGE-PLUGIN-YUBIKEY-14QSFWQVZULSD7ASD5UX5U diff --git a/specific/grimm-nixos-ssd/configuration.nix b/specific/grimm-nixos-ssd/configuration.nix index 642a916..71af831 100644 --- a/specific/grimm-nixos-ssd/configuration.nix +++ b/specific/grimm-nixos-ssd/configuration.nix @@ -12,7 +12,7 @@ ./../../sway ]; - age.identityPaths = [ "/root/.ssh/id_ed25519" ]; + age.identityPaths = [ ../../secrets/yubikey-identity.txt ]; services.zfs.trim.enable = true; boot.supportedFilesystems.zfs = true; diff --git a/sway/default.nix b/sway/default.nix index 5c9608a..cc6c0d3 100644 --- a/sway/default.nix +++ b/sway/default.nix @@ -182,7 +182,7 @@ aw-bundle = ( pkgs.writeShellScriptBin "aw-bundle" '' export RUST_BACKTRACE=full - export PATH=$PATH:${lib.makeBinPath (aw-modules ++ [pkgs.coreutils-full])} + export PATH=$PATH:${lib.makeBinPath (aw-modules ++ [ pkgs.coreutils-full ])} ${getExe' pkgs.coreutils-full "sleep"} 5 ${getExe pkgs.aw-qt} --autostart-modules ${aw-modules-list} ''