My nix flake based system configuration.
This configuration makes use of sops with age asymmetric encryption to handle its secrets. The secrets.yaml file at the root directory of this repository contains the age encrypted secrets.
To encrypt the secrets any one of the age public keys specified in .sops.yaml file at the root directory of this repository are used.
To decrypt the secrets any one of the age private keys present at /var/lib/sops-nix/keys.txt on a host or /home/<user_name>/.config/sops/age/keys.txt on the home directory of a user <user_name>, both specified in .sops.yaml file at the root directory of this repository are used.
The age public and private keys for the user with <user_name> are generated with x25519 algorithm and they are host independent.
The age public and private keys for the hosts are generated by deriving the x25519 equivalent of the ed25519 ssh keys already present on those hosts at the /etc/ssh directory.
To generate age key pair run the command below:
age-keygen -o ~/.config/sops/keys.txtTo get age public key run the command below:
age-keygen -y ~/.config/sops/keys.txtTo derive age public key from host ssh public key run the command below:
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age To create the hashed user password run the command below:
mkpasswd -sWhenever a new age public key is added to keys field in the .sops.yaml file at the root directory of this repository run the command below:
sops updatekeys ./secrets.yaml