teutat3s: init age-plugin-yubikey to encrypt secrets

It seems yubikey-agent still has to be SIGHUP'ed before using agenix:
like so:
killall -HUP yubikey-agent

Read more on how to set this up here:
https://github.com/ryantm/agenix/issues/115

Another related issue:
https://github.com/FiloSottile/yubikey-agent/issues/63
This commit is contained in:
teutat3s 2022-10-24 17:23:45 +02:00
parent c0f991010f
commit 60e15166c8
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1
5 changed files with 28 additions and 4 deletions

View file

@ -0,0 +1,7 @@
# Serial: 10593996, Slot: 1
# Name: age-id-0
# Created: Mon, 24 Oct 2022 14:47:23 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Never (A physical touch is NOT required to decrypt)
# Recipient: age1yubikey1qdxpc9qenrkhqxnu2p6sgyfxhnxcvz99jcaq36uqcztuzsy92q596shqxkf
AGE-PLUGIN-YUBIKEY-1EJN2ZQYZC3K09NCU47TDH

View file

@ -0,0 +1 @@
AGE-PLUGIN-YUBIKEY-1EJN2ZQYZC3K09NCU47TDH

View file

@ -1,11 +1,17 @@
let
# set ssh public keys here for your system and user
dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILDATEWAgDZFfYs1ZPh33Kg4sqQ9tWMVKyk8XqFu3Koe host@dumpyourvms";
ryzensun = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/l7MfEmt510BMeNjuXNPmZ0brcQidvrrpcea+qJMjX root@ryzensun";
teutat3s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
allKeys = [ dumpyourvms ryzensun teutat3s ];
machines = {
dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILDATEWAgDZFfYs1ZPh33Kg4sqQ9tWMVKyk8XqFu3Koe host@dumpyourvms";
ryzensun = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH/l7MfEmt510BMeNjuXNPmZ0brcQidvrrpcea+qJMjX root@ryzensun";
};
users = {
teutat3s = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
teutat3s-5-nfc = "age1yubikey1qdxpc9qenrkhqxnu2p6sgyfxhnxcvz99jcaq36uqcztuzsy92q596shqxkf";
};
allKeys = [ machines.dumpyourvms machines.ryzensun users.teutat3s users.teutat3s-5-nfc ];
in
{
"example-secret.age".publicKeys = allKeys;
"environment-secrets.age".publicKeys = allKeys;
"test-secret.age".publicKeys = [ users.teutat3s-5-nfc ];
}

8
secrets/test-secret.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> piv-p256 xGzyzw A1jSC1bjLB2+dZyfzSX82aPg42KV5eeW9miblCVG1rmj
lcgtyo1LahJuAusIGpvvBkdH+QV4h8+f72UTnc5D5qc
-> .Ro-grease
4lneNVnOyTnmDpW8R1o/ZrpFy75SnXUzGO80AMaJ8RpqZoM84iSYAHHVFjcr2Sim
h8Mzfa9IQ8CXfz33YQ
--- zrwVnHDvgA18vqO5OzvMVSA8Ygktnr2+Fu5tzvxpIXI
y”‡Ö¢Ç¬î?¦„ùÎó­M[ nô^K<>Ëž«p7£ÀÞ~M<>Ž­ž©Dl0>

View file

@ -35,6 +35,7 @@ in
home.packages = with pkgs; [
AusweisApp2
consul
drone-docker-runner
gpu-switch
ifmetric
ipmitool
@ -45,6 +46,7 @@ in
veracrypt
waypoint
yubikey-agent
age-plugin-yubikey
nix-autobahn.packages.${pkgs.system}.default
];