feat: add age plugin and fido2 hmac support #680
Conversation
|
Nice. Should we also point to your sops changes? |
| description = '' | ||
| List of plugins to use for sops decryption. | ||
| ''; | ||
| }; |
There was a problem hiding this comment.
Doesn't that also require age plugin support in sops?
There was a problem hiding this comment.
I don't follow.
We should probably add the fido2-hmac plugin as a default in this option though.
There was a problem hiding this comment.
Do we not need sops-nix to recognise these age plugin style age keys to not fail to run, even if they are not used?
This points to my patched version of |
|
To be quite honest I just looked at your PR and adapted it to use my sops. Maybe there's some extra steps missing here. |
|
Line 8 in 53c853f |
|
I'll have a proper look rather than just copy pasta. |
|
@brianmcgee what is the current status? |
|
@OliverGeneser hoping to finish this during the holidays. |
|
Replying to this quote from the previous PR
That sounds to me like it's one or the other? Or at least a plugin needs to be explicitly supported? Is it possible to support both? For those of us already using the yubikey plugin (there are many I think because that plugin predates the FIDO2 one) that would be really great! Edit: and thanks @Mic92 and @brianmcgee for all your efforts getting this feature supported in sops, I saw it hasn't been straightforward and also required changes to age. ❤️ |
brianmcgee
force-pushed
the
feat/age-plugins
branch
from
faef2bd to
93bdb70
Compare
brianmcgee
force-pushed
the
feat/age-plugins
branch
from
93bdb70 to
268afb1
Compare
| go 1.18 | ||
| go 1.22 | ||
|
|
||
| toolchain go1.23.3 |
There was a problem hiding this comment.
Please drop that otherwise go while whine about toolchaik incompatibles and create useless friction.
| mkdir -p $out/bin | ||
| makeWrapper ${age}/bin/age $out/bin/age \ | ||
| --prefix PATH : ${lib.makeBinPath [ age-plugin-fido2-hmac ]} | ||
| '' No newline at end of file |
There was a problem hiding this comment.
We want a final newline here
| mkdir -p $out/bin | ||
| makeWrapper ${sops}/bin/sops $out/bin/sops \ | ||
| --prefix PATH : ${lib.makeBinPath [ age-plugin-fido2-hmac ]} | ||
| '' No newline at end of file |
There was a problem hiding this comment.
Same here and the next file
| version = "age-sops"; | ||
|
|
||
| src = fetchFromGitHub { | ||
| owner = "age-sops"; |
There was a problem hiding this comment.
That should be just two spaces
|
I'm encountering: should probably be just: I'm working around it by: |
|
I played around with this a bit over the Xmas holidays and paired with @Mic92 for a while too. Creating secrets is easy enough with https://github.com/age-sops/sops. I can't find a good story for installing secrets though, both at a system level and a user level, with graphical sessions to add some extra spice to the mix. The arbitrary nature of the terminal based UI's that plugins can bring into the mix complicates things even further. Some form of unlock on system start / user login is needed. But I've reached the limits of my knowledge on this one. Happy for others to chime in. |
Looks like the TPM plugin actually supports environment variables: https://github.com/Foxboron/age-plugin-tpm?tab=readme-ov-file#with-pin Maybe the better option for machines rather than yubikeys. |
So one approach could be in your NixOS config to set a user secret which contains the PIN, and then the home-manager sops module can go from there with the TPM? I guess on a per user basis you would want to generate a separate identity with the TPM on a machine. |
|
Going to add some helpers for wrapping sops with age plugins into nixpkgs directly. |
|
@brianmcgee Could you share the nixpkgs PR here when you submit it (so I can follow it)? |
|
@Ramblurr PR is here NixOS/nixpkgs#395189 |
|
@brianmcgee hey now that the Nixpkg PR is merged, what else is required to get sops-nix to read the keys? I still haven't been able to make sops-nix to acknowledge anything other than the ssh age keys for secrets like user passwords. |
I'm successfully running it in my nixos configs at https://github.com/nazarewk-iac/nix-configs/tree/789882037c8c360bb18b84881c7854069e3459cc/modules/nixos/security/secrets , most of the tweaks should be under |
|
@nazarewk Hey I pulled over the changes you made to the systemd service for sops but it still doesn't work sadly. Are you using the PR's sops-nix fork or the main sops-nix branch? {
config,
lib,
pkgs,
inputs,
...
}: let
isEd25519 = k: k.type == "ed25519";
getKeyPath = k: k.path;
keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
in {
imports = lib.singleton inputs.sops-nix.nixosModules.sops;
sops = {
defaultSopsFile = ../secrets.yaml;
validateSopsFiles = false;
gnupg.sshKeyPaths = [];
age = {
# Automatically import host SSH keys as age keys
#sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sshKeyPaths = [];
# This will use an age key that is expected to already be in the filesystem
#keyFile = "/var/lib/sops-nix/key.txt"; # Use age-key present on filesystem
keyFile = "/home/novaviper/.config/sops/age/keys.txt"; # This is the yubikey public key file
# Generate a new key if the key specified above does not exist
generateKey = false;
};
};
# fix for https://github.com/Mic92/sops-nix/pull/680#issuecomment-2580744439
# see https://github.com/NixOS/nixpkgs/blob/b33acd9911f90eca3f2b11a0904a4205558aad5b/nixos/lib/systemd-lib.nix#L473-L473
systemd.services.sops-install-secrets-for-users.environment.PATH = let
path = config.systemd.services.sops-install-secrets-for-users.path;
in
lib.mkForce "${lib.makeBinPath path}:${lib.makeSearchPathOutput "bin" "sbin" path}";
systemd.services.sops-install-secrets-for-users.path = with pkgs; [coreutils age-plugin-yubikey];
systemd.services.sops-install-secrets-for-users.after = ["pcscd.socket"];
systemd.services.sops-install-secrets-for-users.requires = ["pcscd.socket"];
} |
Looks like I'm using branch of sops-nix and main from sops, see https://github.com/nazarewk-iac/nix-configs/blob/789882037c8c360bb18b84881c7854069e3459cc/flake.nix#L62 |
|
Adding that made it work! 🥳 But I'm running into another issue now with the devshell. I apply the sops-nix overlay to my devshell but I get this error when it loads: Perhaps @brianmcgee can give some insight to why this particular issue is occurring since it appears to stem from the PR's side Here's the accompanying commit I made to show what I have so far NovaViper/NixConfig@a2291a7 Edit: I also just noticed it doesn't work with sops on home-manager at all because the plugin support wasn't added onto the home-manager module 😭 |
|
I'm working on adding getting the age plugin support added into sops-nix, basing off the work started here. So far I can get sops on the system level (NixOS Module) and user level (home-manager) to decrypt the secrets upon rebuilding the system! I'm still testing the changes to see if it can activate when rebooting the system. Will create a draft PR in the meantime and link it 👍🏾 |
7 participants
No description provided.