From 0540fb710391ffbd96f2a23d1ba8bd8cf562d38f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 21 Sep 2023 15:21:19 +0200 Subject: [PATCH 1/3] document networking.deploymentAddress --- nixosModules/clanCore/networking.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nixosModules/clanCore/networking.nix b/nixosModules/clanCore/networking.nix index 813939d..d90d17d 100644 --- a/nixosModules/clanCore/networking.nix +++ b/nixosModules/clanCore/networking.nix @@ -7,6 +7,12 @@ By default, the node's attribute name will be used. If set to null, only local deployment will be supported. + + format: user@host:port&SSH_OPTION=SSH_VALUE + examples: + - machine.example.com + - user@machine2.example.com + - root@example.com:2222&IdentityFile=/path/to/private/key ''; type = lib.types.nullOr lib.types.str; default = "root@${config.networking.hostName}"; From f350bfd7fd1e1c322b5ce15f85a638a3f6ef070c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 21 Sep 2023 15:32:56 +0200 Subject: [PATCH 2/3] docs/secrets: document sops import --- docs/secrets-management.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/docs/secrets-management.md b/docs/secrets-management.md index 2328f82..387e4ed 100644 --- a/docs/secrets-management.md +++ b/docs/secrets-management.md @@ -132,3 +132,25 @@ For convenience, Clan CLI allows group creation to simplify access management. H ```console $ clan secrets groups add-secret ``` + +# NixOS integration + +A NixOS machine will automatically import all secrets that were encrypted for the same. +At runtime it will + +# Importing existing sops-based keys / sops-nix + +`clan secrets` stores each secrets in a single file, whereas [sops](https://github.com/Mic92/sops-nix) +commonly allows to put all secrets in a yaml or json documents. + +If you already happend to use sops-nix, you can migrate by using the `clan secrets import-sops` command by importing these documents: + +```console +% clan secrets import-sops --prefix matchbox- --group admins --machine matchbox nixos/matchbox/secrets/secrets.yaml +``` + +This will create secrets for each secret found in `nixos/matchbox/secrets/secrets.yaml` in a ./sops folder of your repository. +Each member of the group `admins` will be able + +Since our clan secret module will auto-import secrets that are encrypted for a particular nixos machine, +you can now remove `sops.secrets. = { };` unless you need to specify more options for the secret like owner/group of the secret file. From 3b810b074cd6bcb8c3fdb2d1a30f8de6e574a8a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 22 Sep 2023 12:04:13 +0200 Subject: [PATCH 3/3] add nixos integration example --- docs/secrets-management.md | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/docs/secrets-management.md b/docs/secrets-management.md index 387e4ed..86a4adb 100644 --- a/docs/secrets-management.md +++ b/docs/secrets-management.md @@ -135,8 +135,25 @@ For convenience, Clan CLI allows group creation to simplify access management. H # NixOS integration -A NixOS machine will automatically import all secrets that were encrypted for the same. -At runtime it will +A NixOS machine will automatically import all secrets that are encrypted for the +current machine. At runtime it will use the host key to decrypt all secrets into +a in-memory, non-persistent filesystem using +[sops-nix](https://github.com/Mic92/sops-nix). In your nixos configuration you +can get a path to secrets like this `config.sops.secrets..path`. Example: + +```nix +{ config, ...}: { + sops.secrets.my-password.neededForUsers = true; + + users.users.mic92 = { + isNormalUser = true; + passwordFile = config.sops.secrets.my-password.path; + }; +} +``` + +See the [readme](https://github.com/Mic92/sops-nix) of sops-nix for more +examples. # Importing existing sops-based keys / sops-nix