Skip to content

Commit

Permalink
feat: reduce store path changes in local storage mode
Browse files Browse the repository at this point in the history
  • Loading branch information
oddlama committed Mar 15, 2024
1 parent ac73aac commit 5a4a617
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 8 deletions.
13 changes: 8 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -139,8 +139,9 @@ to use rekeying is to specify `rekeyFile` instead of `file` on your secrets. The
#masterIdentities = [ "/home/myuser/master-key.age" ]; # Password protected external master key
storageMode = "local";
# Choose a directory to store the rekeyed secrets for this host.
# This cannot be shared with other hosts.
localStorageDir = ./secrets/rekeyed/${config.networking.hostName};
# This cannot be shared with other hosts. Please refer to this path
# from your flake's root directory and not by a direct path literal like ./secrets
localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}";
};
}
```
Expand Down Expand Up @@ -542,13 +543,15 @@ approach and has less edge-cases.
## `age.rekey.localStorageDir`
| Type | `str` |
| Type | `path` |
|-----|-----|
| Default | `"secrets/rekeyed"` |
| Example | `./. /* <- flake root */ + "/secrets/rekeyed/myhost" /* separate folder for each host */` |
Only used when `storageMode = "local"`.
The local storage directory for rekeyed secrets, relative to the root directory of your flake.
The local storage directory for rekeyed secrets. MUST be a path inside of your repository,
and it MUST be constructed by concatenating to the root directory of your flake. Follow
the example.
## `age.rekey.derivation`
Expand Down
11 changes: 8 additions & 3 deletions modules/agenix-rekey.nix
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,11 @@ nixpkgs: {
then "Did you run `agenix generate` to generate it and have you added it to git?"
else "Have you added it to git?";

rekeyedPath = config.age.rekey.localStorageDir + "/${identHash}-${secret.name}.age";
# Use builtins.path to make sure that we have a standalone copy of the subdirectory in the store.
# This is important to ensure that the path only changes if there are acutal changes to this
# directory. If we were still using userFlake.outPath + "/secrets/[...]" or something similar,
# then the path would change on each subsequent build because the flake path changes.
rekeyedPath = builtins.path {path = config.age.rekey.localStorageDir;} + "/${identHash}-${secret.name}.age";
in
assert assertMsg (secret.rekeyFile != null -> builtins.pathExists secret.rekeyFile) ''
host ${config.networking.hostName}: age.secrets.${secret.name}.rekeyFile (${toString secret.rekeyFile}) doesn't exist. ${generateHint}
Expand Down Expand Up @@ -355,8 +359,9 @@ in {
# Choose "local" (new behavior) or "derivation" (old behavior).
age.rekey.storageMode = "local";
# Choose a directory to store the rekeyed secrets for this host.
# This cannot be shared with other hosts.
age.rekey.localStorageDir = ./secrets/rekeyed/${config.networking.hostName};
# This cannot be shared with other hosts. Please refer to this path
# from your flake's root directory and not by a direct path literal like ./secrets
age.rekey.localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}";
The new local storage mode is more pure and simpler. It allows building your system without access to the
(yubi)key, for example in a CI environment. Depending on your threat-model it might be considered less secure,
Expand Down

0 comments on commit 5a4a617

Please sign in to comment.